unix system administration it audit preparation 2006-08-21
TRANSCRIPT
Unix System Administration
IT Audit Preparation
2006-08-21
Presentation Conventions Names (files, users, daemons) are usually in bold:
/etc/syslog.conf System dependent or variable items are usually in italics:
/var/sadm/patch/patchnumber/log File entries and output are in mono-spaced type:> root 8036 c Tue Apr 26 23:59:00 2005 < root 8036 c Tue Apr 26 23:59:59 2005
marks a line wrapped to fit on the slide: mv Solaris_9_Recommended_Patch_Cluster_log
Solaris_9_Recommended_Patch_Cluster_log.yyyymmdd marks a horizontal tab (09 hex) Reference OE is Solaris 9
Introduction Suggestions for preparing your system prior to
running script from auditor’s office and before auditor’s port scan.
Based on script supplied by schools most recently audited; script name is comcol06.
Primary focus is on audit, not on making your system more secure.
Introduction continued Comments within the script help with what the
auditors are looking for, but sometimes may have to guess.
References to ‘website’ refer to IIPS page http://nciips.cc.nc.us/Standards.html section “Helpful information and scripts for your next audit”
Solution Methods Single-shot command, i.e. find blah-blah –exec (usually not recommended). If you use, keep a log of what you have done.
Ad-hoc custom scripts Sun applications such as Solaris® Security
Toolkit, or individual Sun scripts from the toolkit (fixmodes, nddconfig, etc.)
Third-party security applications: YASSP, TITAN (4.0 for Solaris 9), etc.
Cfengine configuration program.
1 – 37 Introduction
Notes on how to execute; directions refer to previous version of file (comcol05).
Prints host name and domain name, etc.
38-48 list /etc/syslog.conf
Presumably looking at configuration to see if the system is logging repeated login failures.
The default Solaris 9 /etc/syslog.conf already does this in lines 12 and 13:
*.err;kern.notice;auth.notice /dev/sysmsg*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
Default /etc/syslog.conf line 12:
*.err;kern.notice;auth.notice /dev/sysmsg
The authorization system reports repeated login failures and password change failures at the crit level, so auth.notice would send messages about these to the console.
Default /etc/syslog.conf line 13:
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.err logs all facility messages of err or higher; therefore the default configuration will log repeated login failures, which are at the crit level, to the messages file:
May 8 10:40:28 sun0 login: REPEATED LOGIN FAILURES ON /dev/pts/23 FROM 10.1.7.220
49 – 56 list patches: showrev -p
Because the script does not interrogate the system to determine which packages are installed, it is possible that the auditors will incorrectly conclude that your system is missing some required patches.
Try providing the auditors with the recommended cluster log , Solaris_9_Recommended_Patch_Cluster_log in /var/sadm/install_data.
49 – 56 list patches continued
The cluster log will indicate patches that cannot be applied because the package isn’t on the system with:
One or more patch packages included in ######-## are not installed on this system.
Patchadd is terminating.
71 – 86 List /etc/inetd.conf Checking to see if services with known
vulnerabilities have been commented out. inetd.conf is the configuration file for the inetd
daemon. inetd is the server process for some Internet
standard services (but not all). Will start services only when requested and if
they are listed in inetd.conf. This file will also effect the auditor’s port scan.
List /etc/inetd.conf continued Two types of services are listed in inetd.conf:
Standard socket-based services that use the well-known port numbers; these match the service name listed in /etc/services.
Non-standard services that use a service name instead of a well-known port, based on RFC 1078 TCP Port Service Multiplexor (TCPMUX). In other words, RPC services.
List /etc/inetd.conf continued For example the inetd.conf entry shell stream tcp nowait root /usr/sbin/in.rshd in.rshdin inetd.conf corresponds to the /etc/services entry: shell 514/tcp
A request on tcp port 514 will result in inetd running the remote shell in.rshd found in /usr/sbin as root.
List /etc/inetd.conf continued An RPC entry follows the service name
with a ‘/’ and version number, etc. For example the inetd.conf entry rquotad/1 tli rpc/datagram_vwait root /usr/lib/nfs/rquotad rquotad is the entry for UFS disk quotas for NFS clients.
rpcbind listens in port 111, and handles a request for the service based on the services name.
Removing Services from inetd.conf
Only run services that are required, based on appropriate risk assessment.
Remove services by inserting comment symbol (#) at beginning of the line that configures the service.
Signal inetd daemon to use new configuration: pkill -1 inetd
/etc/inetd.conf socket-based services that should always be removed
name (in.tnamed) shell (in.rshd) login (in.rlogind) exec (in.rexecd) comsat (in.comsat) talk (in.talkd) finger (in.fingerd)
systat netstat time echo discard daytime chargen
/etc/inetd.conf rpc services that should
always be removed (1) 100232 (sadmind) rquotad rusersd sprayd walld rstatd
rexd uucp ¹ 100083 (ToolTalk DB) 100221 (kcms server ²) fs (Sun Font Server) 100235 (cachefsd)
1. Recommend removing both uucp packages: SUNWbnur and SUNWbnuu.
2. Recommend removing all Kodak Color Management System packages: SUNWkcspf, SUNWkcspg, SUNWkcsrl, SUNWkcsrr, and SUNWkcsrt.
/etc/inetd.conf rpc services that should
always be removed (2) 100134 (Kerberos warning message daemon) 100242 (Kerberos DB Propagation daemon) 100146 (smartcard: amiserv) 100147 (smartcard: amiserv) 100150 (smartcard: OCF daemon) sun-dr (dynamic configuration server) 300326 (dynamic configuration server E10000) 100424 (Standard Type Services Framework
(STSF) Font Server
/etc/inetd.conf Entries Requiring a Risk Assessment ftp telnet tftp printer NetBackup related: 100234 (gssd), bpcd, vnetd, bpjava-
msvc Logical Volume Management: 100229, 100230, 100068,
100242, 100155, & 100422. SunVTS: 100153 Removable Media Server: 100155/1
/etc/inetd.conf: ftp
Vulnerability: Unsecure; clear-text transfer of authentication credentials and data.
Risk Assessment: Required for Datatel Communications Management if not using Secure UI.
Other file transfers may be replaced with SunSSH scp or sftp programs.
Note in audit script states that in.ftpd should have ‘-l’ option for logging. Put this in to make auditors happy.
/etc/inetd.conf: ftp continued
Due to change in ftp daemon to wu-ftp in Solaris 9, in order to actually log ftp connections /etc/default/inetd will need to have comment removed from the line with ENABLE_CONNECTION_LOGGING=YES
Recommend these entries in /etc/ftpd/ftpaccess:banner /etc/ftpd/banner.msggreeting tersemessage /etc/ftpd/welcome.msg login
Recommend /etc/ftpd/banner.msg have same legal warning message as /etc/issue and have no /etc/ftpd/welcome.msg file.
/etc/inetd.conf: telnet
Vulnerability: Unsecure; clear-text transfer of authentication credentials and data.
Risk AssessmentRequired for Datatel client access if not using
UI SSL.Datatel InstallShield requires regardless of UI
setting. Recommend use of ssh for administrative
logins.
/etc/inetd.conf: tftp
Vulnerability No authentication Unpredictable results when attempting to change
home directory Runs as user nobody; can read all publicly readable
files and write to all publicly writable files Risk Assessment: Leave enabled only if
required to boot print servers or other diskless clients.
/etc/inetd.conf: printer
Vulnerability: at one time there was a buffer overflow exploit
in in.lpd.Runs as root; vulnerable to spoofing as uses
IP address for authentication. Risk Assessment: The buffer overflow
vulnerability was fixed in 2001. But this service is not required if system has EasySpooler installed; recommend leaving enabled only if system does not have EasySpooler and needs to provide BSD printer services.
/etc/inetd.conf: NetBackup Services NetBackup inserts these entries into
inetd.conf: 100234 (gssd; Generic Security Service) bpcd ventd vopied bpjava-misc
Risk Assessment: Required if using NetBackup; 100234 is only required if backing up remote clients using NFS.
/etc/inetd.conf: Logical Volume Management Solaris Volume Manager may insert the following
entries: 100229 (rpc.metad: remote metaset services) 100230 (rpc.metamhd: manage multi-hosted disks) 100242 (rpc.metamedd: manages mediator information) 100442 (rpc.mdcommd: Multi-node communication daemon)
Risk Assessment: Very little information provided by Sun. rpc.metad and rpc.metamhd were used for remote systems or by metatool, which is no longer in Solaris 9. Volume management seems to work without rpc.metamedd and rpc.mdcommd; but I’m still running as a precaution.
/etc/inetd.conf: sunvts
Vulnerability: At one time there was a buffer overflow potential with older versions.
Risk Assessment: Sun Validation and Test Suite seems to require this inetd.conf entry for both local and remote. Depends on whether you want to run sunvts.
/etc/inetd.conf: rpc.smserverd
Vulnerability: None that I can find, other than the usual RPC problems.
Risk Assessment: Handles requests from client applications to handle removable media (tape and cd media, not PCMCIA devices). Seems safe to use at this time.
87 – 93 List /etc/ftpusers
In Solaris 9 Sun modified the in.ftpd daemon to one based on the Washington Univeristy FTP (wu-ftp) server.
As a result, the use of /etc/ftpusers has been deprecated; users who cannot login to the ftp server should be listed in /etc/ftpd/ftpusers.
Therefore there probably may not be an /etc/ftpusers file that can be listed, so this may have to be pointed out to the auditors.
101 List /etc/init.d/inetinit
inetinit is the startup script that handles TCP/IP configuration.
Sets up default router, ipsec, etc. Reads /etc/default/inetinit for to set TCP ISS
(Initial Sequence Number) generation; see next slide.
No need to modify this script. Use Sun’s nddconfig script to hard network stack; you may want to show this to the auditors.
105 List /etc/default/inetinit
Looking for the TCP_STRONG_ISS setting A TCP session is easily hijacked if initial session
numbers are easily guessed (see CERT Advisory CA-2001-09 and RFC 1948).
Be sure TCP_STRONG_ISS setting in /etc/default/inetinit is:TCP_STRONG_ISS=2
107 – 109 List /etc/notrouter
System should not be running a routing protocol and forwarding packets.
When machine boots, /etc/rc2.d/S69inet will setup machine for routing if there is no /etc/notrouter file.
Make sure system has /etc/notrouter; if not create by giving commands:touch /etc/notrouterchgrp other /etc/notrouterchmod 400 /etc/notrouter
111 – 113 List /etc/defaultrouter
Existence prevents system from running a routing protocol.
Make sure system has /etc/defaultrouter specifying the host’s default router(s).
115 – 130 List /etc/hosts and /etc/hosts*
Lists /etc/hosts to help in reading other files?
Looking for hosts.equiv files:There are files for specifying trusted hosts
and users for the “r” commands (rcp, rlogin, rsh, rcmd).
Should not have: these allow trusted users to access a system with supplying a password.
If system is running tcp_wrappers, there may be hosts.allow or hosts.deny; these are not a security problem.
131 – 137 List /etc/netgroups
Looking for NIS netgroup file. Should not have; remove if system has one.
138 – 148 List all rhosts files
There are also files for specifying trusted hosts and users for the BSD “r” commands (rcp, rlogin, rsh, rcmd).
Should not have: these allow trusted users to access a system with supplying a password.
Remove if system has them or be prepared to explain why they are on the system.
154 – 158 List /etc/motd and /etc/issue
Should be legal warning and not reveal information about the system.
See standard C3 Legal Warning Banners If nothing else, be sure that /etc/motd is not the
default that reveals the Operating System and version:Sun Microsystems, Inc. SunOS 5.9Generic January 2003
159 – 192 List /etc passwd, shadow, and group
Specifically looking for all accounts have passwords or are locked, odd user names and unique UIDs.
Review /etc/passwd and /etc/shadow. Make sure users have password aging, inactivity days set, etc.
The logins command is helpful:logins –d will display logins with duplicate uids
logins –p will display logins with no password
159 – 192 List /etc passwd, shadow, and group continued
The passwd command can be used to set password aging:passwd –x 90 jdoe
The usermod command can be used to set the maximum number of days allowed between uses of a login ID before it is made invalid (auditors like 180 days):usermod –f 180 jdoe
193 – 211 List SUID and SGID Files Owned by Root Lists last 200 root SUID files found, and
last 200 root SGID files found. Use spreadsheet at website to make risk
assessment (will update for Solaris 9) before removing SUID or SGID; some files must have these bits set in order for the system to function.
212 – 267 Examines crontab access
/etc/cron.d/cron.allow: Usually should have only root, lp, and sys. If using cron to resize Datatel files, either add datatel
user or run with “su – datatel –c” option.
/etc/cron.d/at.allow: Either do not have, or have root as only entry.
/etc/cron.d/cron.deny and /etc/cron.d/at.deny: Should not exist.
268 – 274 List Files Without a Legal Owner See standard C1 File Ownership
Guidelines. Will put delete.user script on website to
help.
275 – 285 List perms and contents of /var/adm/*log Make sure to have /var/adm/loginlog:
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog Note that the script command will list every
file in /var/adm ending in ‘log.’
286 – 295 List perms and contents of /etc/default/login Make sure to uncomment line
‘CONSOLE=/dev/console’ to prevent remote root login.
Most of the other entries can set elsewhere or are defaults.
If you want to log every single failed login attempt, change SYSLOG_FAILED_LOGINS to 0 as well as RETRIES.
296 – 314 List perms and contents (last 100 lines) of /var/adm/sulog
May have to explain some entries.
286 – 295 List perms and contents of /etc/default/login
May have to explain some entries.
286 – 295 List perms and contents of /etc/default/login
Check UMASK setting (007).
340 – 360 List perms and contents of all user .profile files.
The method used to list the file contents (cat /export/home/*/*profile) will make it impossible for the auditor to know which contents belong to which file (unless every file has a comment header).
361 – 368 List perms and contents of a root profile (/.profile).
Solaris 9 doesn’t have one as /etc/default/su handles some of a root .profile’s functions.
Some security folks prefer a separate root home directory and .profile; Solaris has / as root’s home directory. May have to explain to auditors.
369 – 379 List perms of /export/home directories.
Check for world-writable perms, shouldn’t be any.
380 – 395 List cron log (last 100 lines)Script: “Determine if the sync utility is periodically
executed to copy disk buffer to disk so that loss of data is kept at a minimum in the event of system failure. This can be verified by reviewing the contents of the table stored in the crontab file, which lists the programs executed periodically. These programs are executed by the cron utility as background processes. The system administrator typically maintains the \etc\crontab file.”
380 – 395 List cron log continued It is not necessary to call sync in crontab
because there is a Solaris fsflush daemon that automatically (and intelligently) handles this process; the default setting runs the daemon every 30 seconds.
If you need to show them any documentation, the Solaris Tunable Parameters Reference Manual (817-1759) starting on page 29 discusses the fsflush daemon and its settings for /etc/system.
396 – 403 List permissions of tape devices See standard C8 Backup Device Security. Method used will probably not give actual
permissions; nay want to use:ls –lL /dev/rmtand give auditors results.
404 – 414 List world-writable directories
Script: “The only world writable directories should be spool/public directories e.g. ‘/tmp’ and should have the sticky bit set. Pay particular attention to any system owned directories that contains executables (sic)”
Check with:find / -type d –perm -0002 –exec ls –ld {} \;
415 – 423 List world-writable files
Script: “Obtain a list of the world writable files and examine them for validity. Pay particular attention to any system owned executable or control file.”
Check with:find / -type f –perm -0002 –exec ls –al {} \;