forked from 0xwindows/tiger
/
TODO.checks
181 lines (153 loc) · 7.32 KB
/
TODO.checks
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
This TODO details things that need to be done to improve the current
security checks implemented in Tiger.
IMPROVEMENTS
------------
- Modify the rhosts check so that it will check for shosts files too
(or create a new check_shosts file)
- Modify check_network to include hosts.lpd in the tests
- Add .bash_profile into check_path
- Add more information to the messages outputed for inetd services which
might expose password information (Unix CERT configuration list item #2.4)
- check_rootkit should also consider analysing modification times of
important system files (binaries as well as logfiles).
Mtime, atime and ctime should not be in the future and mtime/ctime
of binaries should be similar to the time the system was installed
(unless it has been patched). Similarly, logfiles should not have
similar (almost equal) ctimes. This needs to be carefully planned in
order to avoid confusion of logfile rotation vs. a log cleaner though.
- check_patches for Solaris should generate better messages for security
and/or recommended patches (|R|S|). The check needs to be tested for
Solaris 9 too.
Also check_patches should only output information for packages installed.
- check_known should be improved to detect for symlink attacks and
hard links in user writable directories (/tmp, /var/tmp and, in
some systems, /var/spool/mail too, the directory list might be
defined in tigerrc or extracted by parsing the file system)
NEW CHECKS
-----------
- Create the following (generic) scripts:
- Check root $HOME files (might be redundant with check_path's)
- Do alias give the same as check_aliases?
- writable/executable check + word writable? (in find_files)
- Check for SAMBA configuration (checklist #20 SANS):
. encrypted passwords.
. 600 /etc/smbpasswd or /etc/samba/smbpasswd
. shares enabled/disabled
. guest access
. create mask (770)
- Check newer FTP (/etc/ftpaccess in newer Linux systems, ftpusers
is deprecated) see checklist #22 of SANS.
(DONE)- The check_inetd script should be improved to warn if echo/chargen..
services are enabled (SANS unix checklist #3 and Linux #4)
- SANS unix checklist #18
. Solaris /etc/system (noexec stack)
. Solaris locked accounts (#18 and #21)
. Solaris default/login
. Solaris /etc/default/kbd
- Partition checks (in Linux /etc/fstab, in Solaris /etc/vfstab),
if there is a /usr, /opt then read-only, if /var
or /tmp suggest nosuid (maybe noexec, although it's not a real
improvement). Separate partitions for /var, /usr, /tmp, /home
(boot?) so that no hard links attacks are possible.
In general user writable directories should be separated from
from system directories to avoid (hard) symlink attacks and
local DoS due to partitions being full.
In some installations /var/log or /var/spool (or /var/mail) might
make sense to be separated.
- Solaris /etc/notrouter to disable
- Suggested by Bob Hall:
* Check if any local file systems are being exported to
'localhost'. Also check if the local host is in a netgroups
entry in its own exports file.
* Look for (unexpected) normal files under /dev.
(Note: included in 'check_devices', done?)
* Check for user startup files that call 'umask' with weak
settings. (Should be 022 or 027.)
(Note: included in 'check_umask' using GENPASSWDSETS, done?)
* Check that '-' is not the first character in a /etc/hosts.equiv
/etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
hosts.lpd file.
(Note: included in 'check_rhosts'?)
* If a system allows it, check for an /etc/shells file and look
if the permitted shells are in the system directories.
References:
http://www.cert.org/tech_tips/usc20.html
http://www.cert.org/advisories/CA-2001-30.html
http://www.ciac.org/ciac/bulletins/b-37.shtml
http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/unixsecurity.nrl.txt
- Detect promiscous mode (DONE)
- Rootkits check, like chkrootkit (DONE)
Reference:
http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html
- Implement a check for configuration files for user's password policies
and other sensible configuration such as /etc/login.access, /etc/login.defs,
/etc/login.conf
- Implement a generic script to test package management systems
(i.e. run 'rpm -Va' in RedHat, 'pkgchk' in Solaris). Most of these check:
md5sums, permissions, size, user/group ownerships...
These can be useful to detect trivial rootkits but might be redundant
when using also integrity checkers.
Note: The Debian deb_checkmd5sums only covers part of that (using
debsums), dpkg does not have a verify mode (see Debian Bug #187019)
References:
RedHat: http://www.rpm.org/max-rpm/ch-rpm-verify.html
http://www.rpm.org/max-rpm/s1-rpm-verify-what-to-verify.html
- Convert scripts/check_network (RedHat-based) into a number of tests.
This is a script provided by Bryan Gartner from HP
It currently checks for:
- Inetd configuration files (are xinetd or inetd files writable?
are they owned by the proper user? does inetd use -l? does
xinetd have filelog or syslog?)
(Note: some checks moved to check_tcpd)
- Does /etc/securetty exist? Does it have other entries besides vc/tty?
Is ownership of the file ok?
- Is ip forwarding enabled?
- Which version of DNS/Wu-ftpd is it running?
(Note: this might not be completely feasible since the check_network
scripts connects to the server to retrieve the banner which is
something that Tiger should leave to other, remote, VA tools)
- PermitRooLogin or Rhosts in sshd?
- EXPN/VRFY support in mail host?
Necessary services:
- Is syslog running?
- Is omniback running?
Not allowed (per policy):
- Is fingerd running?
- Is identd runnig?
- Are inetd internal services running?
- Is a routing daemon enabled?
- R-commands?
- X server
- Tftpd
- NIS
- UUCP
- R-exd?
- NFS
Note: some of this is already done in check_inetd and check_xinetd so
many might be redundant.
INTEGRATION CHECKS
------------------
(checks related to other tools that integrate them in the Tiger framework)
- Tripwire: the 'tripwire_run' script has not been tested thoroughly
(mainly because in Debian it is already configured to execute
regular checks standalone)
- Crack: same for 'crack_run' (for the same reason as for tripwire
it has not been tested thoroughly yet)
- Other integrity checkers: aide, samhain, integrit...
(Note: done for aide and integrit for the moment)
- Other password crackers: john
- Logcheckers: swatch, logcheck, loganalysis, snort-logcheck
Note: Tiger currently does not do any log checking (see below)
I'm not sure if Tiger should provide a new one or re-use
existing ones and include them as an 'external' program to run
through a Tiger module. The benefit of using an accepted and use
log analysis tool is that Tiger can benefit from the database of
signatures of known attacks/non-issues. The problem is that the
sysadmin has to install yet another tool (if he is not using an OS
that already includes them) and, probably, some other stuff
(usually Perl) on which the tool itself is based.
- User analysis: sac, hostsentry (part of Abacus, but non-free)
- Network checks: Arpwatch, Snort
(DONE)- Other tools: chkrootkit
--- Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Sun, 27 Jun 2004 22:28:39 +0200