Re: [Tiger-user] Additional Checks

tiger-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Tiger-user] Additional Checks

From:	Javier Fernández-Sanguino Peña
Subject:	Re: [Tiger-user] Additional Checks
Date:	Wed, 13 Nov 2002 11:09:06 +0100
User-agent:	Mutt/1.3.28i

On Mon, Nov 11, 2002 at 03:27:49PM -0800, Bob Hall wrote:
> I'd like to propose a few additions to the security checks
> being performed by TIGER. These don't appear to be in release

        That's great. Could you please open a request for these at
http://savannah.nongnu.org/projects/tiger

> 2.2.4, but they could well be in later releases (or I could
> easily be mistaken.) At any rate it can't hurt to post them
> here.

        Yes, it doesn't :) I will comment wether the security checks are
(or not) in Tiger 3.1

> 
> * Find .exrc files that are not in user home directories;
>   particularly in the system directories. The vi command will
>   look for a .exrc in your current directory, and this can be
>   used as an exploit.

        It is not yet in Tiger.

> * Check /etc/ftpusers for vendor-supplied accounts. Compare the
>   passwd entries to a list of known vendor account names and
>   uid's, then see if they are in the /etc/ftpusers file. (For
>   example, we have adm, bin, daemon, hpdb, lp, nobody, nuucp,
>   root, sys, and uucp in the ftpusers file.)

        I believe this is already in Tiger. It's the check_ftpusers
module. It was included in Tiger-2.2.4p2 for Debian and is available for
Tiger-3.1 now. It's largely based on Titan's check for /etc/ftpusers.
Please check out:
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_ftpusers

> * Check if any local file systems are being exported to
>   'localhost'. Also check if the local host is in a netgroups
>   entry in its own exports file.

        I believe this is not checked. The 'check_exports' will not warn
for file systems exported locally IIRC. This tests could be inclluded in
the module.

> * Look for (unexpected) normal files under /dev.

        Yes, this is not done and could be useful.

> * Check for user startup files that call 'umask' with weak
>   settings. (Should be 022 or 027.)

        Currently there is a check in Tiger-3.1 that does that for some
scripts. Check
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_logfiles

> * Check that '-' is not the first character in a /etc/hosts.equiv
>   /etc/hosts.lpd, or .rhosts files. Also check for a '+' entry in
>   hosts.lpd file.

        This check could be easily included in the 'check_rhosts' module
(I believe it's already in tiger-2.2.4)

> * Look for invalid comment entries in .rhosts files. (Some users
>   add "comments" that turn out to be invalid, thereby potentially
>   permitting unauthorized access.)

        This is already checked for (in 'check_rhosts'):
# Linux allows comments in rhosts files
  [ "$OS" != "Linux" ] &&
  case "$rhost" in
    '#'*) {
      message WARN rcmd013w "" "User $user's .rhosts file contains an
attempted
comment line"
    }
    ;;


> * If a system allows it, check for an /etc/shells file and look
>   if the permitted shells are in the system directories.
        

        Yes. There are some checks that make use of /etc/shells
(check_network and check_accounts).

>  References:  

        All this references could be very useful for the tiger_exp
program. If you write the code please use new tiger error expressions and
include them in the doc/ subdir.

> Also does TIGER do any sort of log file checking? Such as:  

        Tiger currently does not do any log checking (see below)

> 
> * Check the sendmail log for suspicious entries.  
> * Check btmp for multiple invalid login attempts.  
> * Check for multiple failed su attempts. 

        Regarding logchecking I was thinking along the lines of re-using
tools that are already production-level for this. There are quite a number
of tools for log analysis (log-analysis, and logcheck come to mind). I'm
not sure if Tiger should provide a new one or re-use existing ones and
include them as an 'external' program to run through a Tiger module.
        The benefit of using an accepted and use log analysis tool is that
Tiger can benefit from the database of signatures of known
attacks/non-issues. The problem is that the sysadmin has to install yet
another tool (if he is not using an OS that already includes them) and,
probably, some other stuff (like Perl) on which the tool itself is based.
I haven't matured this yet (BTW, this should be included in savannah's
Tech manager or as a task in the project).

 > Thank you for your consideration. 

        Thank you for all your comments. If you are going to code any of
the modules I would really appreciate it if you created a savannah account
and use the latest CVS entries for this, otherwise it's more difficult to
integrate them into newer releases. Ask me for access to the project.

        In any case, any kind of patches to improve Tiger are appreciated.

        Javi

pgp2AK3XfyhIZ.pgp
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[Tiger-user] Additional Checks, Bob Hall, 2002/11/11
- Re: [Tiger-user] Additional Checks, Javier Fernández-Sanguino Peña <=

Prev by Date: [Tiger-user] Additional Checks
Next by Date: [Tiger-user] Where should tiger grow towards?
Previous by thread: [Tiger-user] Additional Checks
Next by thread: [Tiger-user] Where should tiger grow towards?
Index(es):
- Date
- Thread