[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Tiger-user] Additional Checks
|
From: |
Bob Hall |
|
Subject: |
[Tiger-user] Additional Checks |
|
Date: |
Mon, 11 Nov 2002 15:27:49 -0800 (PST) |
I'd like to propose a few additions to the security checks
being performed by TIGER. These don't appear to be in release
2.2.4, but they could well be in later releases (or I could
easily be mistaken.) At any rate it can't hurt to post them
here.
* Find .exrc files that are not in user home directories;
particularly in the system directories. The vi command will
look for a .exrc in your current directory, and this can be
used as an exploit.
* Check /etc/ftpusers for vendor-supplied accounts. Compare the
passwd entries to a list of known vendor account names and
uid's, then see if they are in the /etc/ftpusers file. (For
example, we have adm, bin, daemon, hpdb, lp, nobody, nuucp,
root, sys, and uucp in the ftpusers file.)
* Check if any local file systems are being exported to
'localhost'. Also check if the local host is in a netgroups
entry in its own exports file.
* Look for (unexpected) normal files under /dev.
* Check for user startup files that call 'umask' with weak
settings. (Should be 022 or 027.)
* Check that '-' is not the first character in a /etc/hosts.equiv
/etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
hosts.lpd file.
* Look for invalid comment entries in .rhosts files. (Some users
add "comments" that turn out to be invalid, thereby potentially
permitting unauthorized access.)
* If a system allows it, check for an /etc/shells file and look
if the permitted shells are in the system directories.
References:
http://www.cert.org/tech_tips/usc20.html
http://www.cert.org/advisories/CA-2001-30.html
http://www.ciac.org/ciac/bulletins/b-37.shtml
http://www.nswc.navy.mil/ISSEC/Docs/Ref/GeneralInfo/unixsecurity.nrl.txt
Also does TIGER do any sort of log file checking? Such as:
* Check the sendmail log for suspicious entries.
* Check btmp for multiple invalid login attempts.
* Check for multiple failed su attempts.
Thank you for your consideration.
--
Bob
__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2
- [Tiger-user] Additional Checks,
Bob Hall <=