UNIX System Administration Handbook - Evi Nemeth [395]
COPS: audit system security
The Computer Oracle and Password System, COPS, is a set of programs, originally written by Dan Farmer, that monitor several aspects of UNIX security. You can run COPS every night out of cron to search through the filesystem for problems.
By standardizing and streamlining a variety of simple checks, COPS can save you many hours of manual labor. Although it is no longer under active development, COPS is a classic tool that identifies many classic security problems. Run it before one of your users does.
COPS warns you of potential problems by sending email; it makes no attempt to fix the problems it has discovered. A list of the items monitored includes
• File, directory, and device permissions and modes
• The contents of /etc/passwd and /etc/group
• The contents of system startup and crontab files
• The writability of users’ home directories
Once you install COPS, you will receive a nightly security report similar to this one:
ATTENTION:
Security Report from host raja.xor.com
Warning! Root does not own the following file(s): /etc
Warning! "." (or current directory) is in root’s path!
Warning! /var/spool/mail is _World_ writable!
Warning! /etc/utmp is _World_ writable!
Warning! User randy’s home directory /home/staff/randy is mode 0777!
Warning! Password file, line 8, no password:
runmailq::33:10:,,,:/home/staff/runmailq:/bin/csh
Warning! /usr/bin/uudecode creates setuid files!
Warning! Password Problem: Guessed: beth shell: /bin/csh
COPS includes the Kuang expert system, which attempts to intuit devious ways that regular users could attempt to become root. More information about COPS is available from www.cerias.purdue.edu.
tripwire: monitor changes to system files
tripwire, written by Gene Kim and Gene Spafford of Purdue, monitors the permissions and checksums of important system files so that you can easily detect files that have been replaced, corrupted, or tampered with. For example, tripwire makes it easy to determine that an intruder has replaced your copy of /bin/login with one that records passwords in a clandestine file.
tripwire checks files against a database that records their characteristics and checksums at the time the database was built. The general idea is to make a baseline database from a trusted state of the system and then regularly diff the filesystem against that historical database. Files that are expected to change (such as /etc/utmp) can be marked in tripwire’s configuration file so that they do not generate warnings. When the configuration of the system is changed or new software is installed, the database should be rebuilt so that real problems do not disappear among a flood of spurious tripwire warnings.
If possible, tripwire’s database and config file should be mounted from a secure server that exports it read-only. This configuration makes it harder for hackers to cover their tracks and remain undetected.
tripwire should be set up to mail you a nightly report. A typical tripwire report looks like this:
# tripwire
Tripwire(tm) ASR (Academic Source Release) 1.3.1
File Integrity Assessment Software
(c) 1992, Purdue Research Foundation, (c) 1997, 1999 Tripwire
Security Systems, Inc. All Rights Reserved. Use Restricted to
Authorized Licensees.
### Phase 1: Reading configuration file
### Phase 2: Generating file list
### Phase 3: Creating file information database
### Phase 4: Searching for inconsistencies
###
### Total files scanned: 20344
### Files added: 0
### Files deleted: 0
### Files changed: 1
###
### Total file violations: 1
###
changed: -rwxr-xr-x root 262184 Jan 22 12:04:42 2000 /bin/tcsh
### Phase 5: Generating observed/expected pairs for changed files
###
### Attr Observed (what it is) Expected (what it should be)
### === ============== ==================
/bin/tcsh