This appendix provides a procedure for configuring your system to meet or exceed a C2 level of security as described in the Orange Book. When the system is used in accordance with a site security policy, a C2 network, and the appropriate physical security, a C2 level environment can be achieved.
You can configure your system to meet the minimum C2 requirements by following the instructions in Section F.3 or you can configure for the maximum practical level of security by using this entire document.
This appendix contains information on the following subjects:
Evaluation status for Tru64 UNIX
Site security policy
Minimum C2 configuration
Procedures to establish a secure installation of a Tru64 UNIX system
Physical security
Periodic security administration procedures
Reference documents and verification tools
The Tru64 UNIX operating system is delivered with an optional enhanced
security subset.
When this subset is installed and configured, the system
is referred to as a trusted system.
The Tru64 UNIX enhanced security features
are designed to meet the C2 class of trust, as defined by the
Trusted Computer System Evaluation Criteria
(also called the
Orange Book) An on line version of the
Orange Book
is available at
http://nsi.org/Library/Compsec/orangebo.txt.
The system is also designed to meet the F-C2 functional class, as defined in the Information Technology Security Evaluation Criteria (ITSEC).
The system's security mechanisms maintain full compatibility with existing Tru64 UNIX security mechanisms, while expanding the protection of user and system information.
Contact your sales representative for the latest evaluation and certification
status of the Tru64 UNIX product.
F.2 Establishing a Security Policy
A security policy is a statement of the rules and practices that regulate how an organization maintains its computing environment and how the organization manages, protects, and distributes sensitive information.
An organization carries out its security policy by configuring the system as described in this procedure and by adhering to the administrative and procedural guidelines defined in the site policy.
Compaq recommends that you establish a written security policy for your site, as described in the Site Security Handbook (RFC 1244).
Security consulting services are available from Compaq by calling
(in the USA) 1.800.AT.COMPAQ.
For more information, see the following web
site:
http://www.compaq.com/services/internet/security/index.html
To create your site's security policy do the following:
Document the process for maintaining and changing the security policy.
Establish the action taken by system administrators in the case of a break-in or other breach of security.
Determine your site's audit policy including the following:
User activities you want to audit.
Locally defined audit events.
Location for audit logs.
Procedures for the review of audit logs.
Whether the auditing of login attempts to unrecognized account
names (login_uname) is needed.
Using this attribute can
put passwords, entered out of sequence, with respect to the prompts, in the
audit logs.
Establish a service access policy (supervision, passwords).
Determine the
umask
for your system (022
is the system default).
Establish a schedule for verifying the integrity, including passwords, of your system and site.
Define the boundaries of the system and the interfaces (telnet,
ftp, for example) between the boundaries.
Establish a magnetic media policy, especially for removable media.
Determine what application software will be installed on your system and what its security implications are.
Determine the password policy for your users. Some considerations follow:
Long passwords are hard to break, but inevitably they are written down.
If user-chosen passwords are used, only one person knows the password.
Machine-generated passwords are harder to break, but also harder to remember and will probably be written down.
Determine the login controls for your system.
Establish a procedure for system startups, shutdowns and upgrades.
Establish a backup and recovery procedure.
Determine who the system administrators (root access) are and exactly what their functions are to be.
Establish one or more secure account prototypes (Local Templates) for creating user accounts using the Account Manager program.
Establish a secure account template with startup files in
the
/usr/skel
directory.
Determine the access restrictions for each object on your system.
Establish the groups for your system.
Determine the access restrictions for each user on your system.
Record for reference all the programs on your system that can set the UID or GID.
Determine the export restrictions for file systems on your system.
Establish change control procedures for subjects and objects on your system.
Establish a procedure for physical access changes.
Establish the physical access requirements for your system and console.
Establish the physical access requirements for your network components.
Establish your network administration/security policy.
Determine which remote access programs (ftp,
telnet, and such) will run on your system.
Determine the remote systems that will have access to your
system (Compaq recommends that you do not allow
.rhosts
and
.hosts.equiv
files).
Determine the console password requirements for your system and site.
Establish a modem policy (consider authentication, the configuration for dial-in and dial-out access).
Create a "User Security Training" course or document for your site.
Document how users will access the system: operating system, database, or application menu.
Determine the secure devices for your site.
After your system is configured, the configuration files should change little and always in predictable ways. During periodic security reviews of your system, compare the base configuration files for content and permissions to the current files. Document the base system and network configuration by obtaining a listing of the following files and attaching them to the security policy:
/usr/skel/.profile /usr/skel/.cshrc /usr/skel/.login /var/yp/<domain>/auto.master /var/yp/<domain>/auto.home /var/yp/<domain>/auto.### /etc/auto.* /etc/auth/* /etc/dumpdates /etc/ethers /etc/exports /etc/fstab /etc/ftpusers /etc/group /etc/hosts /etc/hosts.equiv /etc/inetd.conf /etc/motd /etc/netgroups /etc/passwd /etc/profile /etc/csh.login /etc/logout if used /etc/remote /etc/resolv.conf /etc/rc.config /etc/rc.site optional, used with /etc/rc.config /etc/screend.config /etc/services /etc/sec/site_events /etc/sec/audit_events /etc/sec/auditd_clients /etc/sec/event_aliases /etc/sec/auditd_cons /etc/sec/audit_loc /etc/securettys /etc/svc.conf /tcb/* /usr/adm/messages /var/spool/uucp/Permissions if UUCP is active /var/spool/uucp/Systems if UUCP is active /var/spool/uucp/remote.unknown if UUCP is active /var/adm/cron/at.allow /var/adm/cron/at.deny /var/adm/cron/cron.allow /var/adm/cron/cron.deny /var/adm/crontab/ any files in these directories /var/tcb/* /var/yp/src/*
Compaq's interpretation of the Orange Book's requirements for a minimum C2 system is that the configuration for Tru64 UNIX is as follows:
The requirement for a site security policy is met when you establish a security policy for your site as described in Section F.2 and the Site Security Handbook (RFC 1244). Your security policy should be in written form.
Users should be able to change their own passwords and the passwords should be machine-generated (Green Book recommendation). See Section F.4.2 for password configuration details.
The requirement for users to be notified of their last login is met when enhanced security is configured.
The discretionary access control requirement is met by configuring
ACLs (access control lists) on your system.
See
Section F.4.6
for configuration details.
Compaq does not recommend using the
/usr/groups
approach for small systems (less than 32 users).
The object reuse requirement mandates that workstations be
configured with no
xhost
entries.
Shared memory separation must be enabled.
You do this by answering
yes when
secconfig
asks if you want to disable segment
sharing.
The audit subsystem needs to be configured and available for use. Compaq recommends that, at a minimum, you run audit as described in Section F.4.5.
The ability to verify the integrity of the trusted computing
base (TCB) is met by running the
fverify
and
authck
commands periodically as determined by your site's security
policy.
After you have installed the Tru64 UNIX software subsets (including
the optional enhanced security and documentation extension subsets) onto your
system, you will start the software configuration.
During the configuration,
several of the selections you make will affect the security of your system.
The assumption is that you need the maximum practical security configuration
for your system.
The following sections document the areas of concern for
security and Compaq's recommended configuration.
F.4.1 General Configuration
Compaq recommends the following general system configurations:
Ensure that the
/tmp,
/var/tmp, and
/var/spool
directories are on a file system
other than that of the root (/) and
/usr
directories.
Do not run Netscape Navigator with JAVA enabled. Only enable JAVA when you are connected to known secure sites.
Avoid connecting systems to the Internet whenever possible.
F.4.2 Enhanced Passwords and Authentication Using secconfig
Select the enhanced password attributes to match your site's security policy. See Section F.2 and Section 7.5.4 for details.
Compaq recommends the following password attributes (defaults
are defined in the
/etc/auth/system/default
file):
Select either user-chosen or machine-generated passwords and configure as follows:
For user-chosen passwords (u_pickpw
field
in the
/etc/auth/system/default
file), set the minimum
length to 8 characters (u_minlen#8) and the maximum length
to 80 characters (u_maxlen#80).
For machine-generated passwords (no
u_pickpw
field in the
/etc/auth/system/default
file), set the minimum
length to 0 characters (u_minlen#0) and the maximum length
to 10 characters (u_maxlen#10) The value of 0 for minimum
length causes Tru64 UNIX to use the
Green Book
algorithm
to generate passwords.
Ensure that null passwords cannot be used (u_nullpw@)
Set the password expiration time to 180 days (u_exp#15724800)
Set the account lifetime set to 360 days (u_life#31449600)
Set the depth of the password history file to 9 (u_pwdepth#9)
Set the number of trys to enter a password before locking
the account to 5 (u_maxtries#5)
Set new accounts to be locked (u_lock)
Set the maximum number of login attempts before the terminal
is locked to 10 (t_maxtries#10)
Set the delay between attempted logins to 2 seconds (t_logdelay#2)
Select triviality checks (u_restrict) and
site password restrictions (u_policy)
Use the Account Manager (dxaccounts) or the
edauth
program to change the default settings.
F.4.3 Libraries
The libraries on your system can be used in an attack. Secure the libraries as follows:
Disable segment sharing by answering
yes
when prompted by
secconfig.
Verify that the permissions are correct (no write access except
for the owner) and that the ownership is root on shared libraries (/usr/shlib/*.so), including any linked target files.
Use the
ls -lL
command for this procedure.
F.4.4 Account Prototypes and Templates
The account templates used to create user account startup files are
/usr/skel/.login,
/usr/skel/.cshrc
and
/usr/skel/.profile.
Account prototypes (referred to as Local Templates) are provided by
the Account Manager (dxaccounts).
The prototypes let you
set attributes like password expiration and login attempts for individual
user accounts.
If a attribute value is not specified in the local template,
the value from the
default
file is used.
The system-wide
default attribute values are stored in the
/etc/auth/system/default
file.
System default values are set with the
/usr/tcb/bin/edauth
command.
Configure user accounts as follows:
Using the provided default templates, create account templates that reflect your site's security policy.
Set the
umask
in the
/usr/skel/.login
file (Compaq recommends a value of 027).
Designate a restricted shell (Rsh) for
users where appropriate.
Verify that each user has a valid entry path (login shell)
on the system.
Users can be placed directly into an application by executing
the application from the user's
/home/.profile
or from
the entry in the
/etc/passwd
file or as a start point for
the user with the execution of a startup program.
If user access is restricted through menu scripts called from
the user's
.profile
file, the scripts should have a
trap
command at the beginning of the file to ensure that Ctrl/C
and other keyboard interrupts are ignored.
F.4.5 Configuring the Audit Subsystem
Before the audit kernel option (Audit Subsystem) can be configured,
it needs to be included for the kernel build.
Use the
audit_setup
utility to configure the audit subsystem any time after the kernel
build.
Compaq recommends that you configure and run audit as follows:
Use the default location for audit logs (/var/audit/auditlog.nnn).
For overflow protection, put the audit logs on a file system
other than root (/) and
/usr.
Establish an alternate location for audit logs to provide
for an overflow of audit log data by editing the
/etc/sec/auditd_loc
file.
Send
auditd
messages to the console (/dev/console).
Set the audit mask to audit
trusted_events
and to log the name of a user (as described in your site policy) who attempts
to log into an invalid account.
If you are starting the audit daemon from the command line, use the following command:
#/sbin/init.d/audit start
See
Chapter 10
for audit configuration details.
F.4.6 Configuring ACLs
ACL processing can be dynamically enabled using the
sysconfig
command and can also configured to be enabled automatically as
part of system startup using the
sysconfigdb
command.
See the
sysconfig(8)
reference page and
Chapter 11
for ACL configuration details.
F.4.7 Verifying That Your Installation Is Secure
After you have rebooted the system to enable the enhanced security options,
run the
fverify
and
authck
programs
to verify the integrity of your system.
F.4.8 Configuring Network Security
Proper network configuration is a critical part of your secure computing environment. Use the following checklist as an aid to network configuration:
Do not use NIS (Network Information Services, formerly called Yellow Pages) to distribute root account information. See Section 9.5 for details.
When using NIS, use the
/etc/yp/securenets
file, as described in the
ypserv(8) reference page.
Run
ypbind
with the
-S
flag and without the
-ypset
or
-ypsetme
options (default).
If
uucp
is configured on your system, do
the following:
Ensure that the
uucp
account is password
controlled and that a separate
uucp
account is established
for each machine that requires access.
Ensure that the
/var/spool/uucp/Permission
file has only valid entries.
Ensure that the
/var/spool/uucp/Systems
file has only valid entries.
Ensure that the File Transfer Protocol (FTP) is secured and that, if possible, there are no anonymous FTP accounts. If you must use anonymous FTP, ensure the following:
The FTP account has an asterisk in the protected password field.
A
/usr/ftp
home directory is created for
FTP.
Create
/bin
and
/etc
subdirectories
under the
/usr/ftp
directory.
Nothing in the home directory is owned by
ftp.
A public subdirectory is created under the
/usr/ftp
directory for placement and retrieval of transferred files.
User
ftp
should only have write access to the public subdirectory.
Create an
~ftp/etc/passwd
file with only
the
ftp
account and no password.
Copy the
/etc/sia/bsd_matrix.conf
file
to
~ftp/etc/sia/matrix.conf
Copy
/sbin/ls
to
~ftp/bin/ls.
The login shell for the
ftp
account should
be
/sbin/sink.
Ensure that workstations are using DES-cookie based authentication
(default).
See the XDM-AUTHORIZATION-1 parts of the
dtlogin(1)
reference page for more information.
When
/usr/bin/X11/xhost
is run, nothing
should be reported.
The output should look like the following:
#xhostaccess control enabled, only authorized clients can connect#
F.4.9 Postinstallation Security Configuration
After the system is installed and configured, perform the activities
in the following sections.
F.4.9.1 umask for Remote Access
Add a
umask
entry as described in your site security
policy to the
/etc/csh.login,
/etc/profile,
and
/etc/init.d/inet
files.
(Note that the
/etc/init.d/inet
file is overwritten during an update installation.)
F.4.9.2 Devices
Using
/usr/tcb/bin/dxdevices, create the devices
with the security attributes that reflect your site's security policy.
Ensure that terminal ports are readable only by the owner by modifying the remote login shell file as follows:
Add the following to the
/etc/profile
file:
case "$TERM" in none) ;; *) /usr/bin/setacl -b `/usr/bin/tty` ;; esac
Add the following to the
/etc/csh.login
file:
if ($?TERM) then
if ("$TERM" != "none") then
/usr/bin/setacl -b `/usr/bin/tty`
endif
endif
See
Chapter 8
for details dealing with devices.
F.4.9.3 Accounts
Compaq recommends that you create and verify accounts as follows:
Create the user accounts for your system using either the
Account Manager (/usr/bin/X11/dxaccounts) or by restoring
the
/usr/users
area and associated files from a previous
system.
Ensure that home directories are mounted with the
noexec,
nosuid, and
nodev
options.
Ensure that CDE users have the auto-pause feature enbled by using a command similar to the following:
#grep extension.lockTimeout \~/.dt/sessions/current/dt.resources
A 0 status indicates that the auto-pause feature is disabled.
Review the
/etc/passwd
and
/var/tcb/files/auth.db
databases to verify that user home directories and passwords are
appropriate.
See Chapter 9 for details on account creation.
Because root access must be carefully controlled and monitored, make sure the following conditions are met:
That all passwords are changed after a system installation or after support vendors have had access to your machine.
That the root password is changed before vendor access is granted to prevent exposure of your password generation methodology.
That the single-user password feature is enabled.
See the
sulogin(8)
reference page.
That using the
su
command to become root
is logged by audit.
That access to the
setuid/setgid 0
programs
on your system are restricted (700, 710, or 711)
That the
/var/spool/cron/crontabs
files
are accessible only by root or the owner.
That root access is restricted to certain devices for login
or that users must use the
su
command to access the root
account.
See the
securettys(4)
reference page for more information.
The logins for the system-supplied UIDs are limited (setting
the
u_lock
field) where appropriate.
The following table
provides the restrictions recommended by Compaq:
| UID | Recommend login Status |
root |
Restricted |
daemon |
Not allowed |
bin |
Not allowed |
sys |
Not allowed |
uucp |
Restricted |
nobody |
Not allowed |
adm |
Restricted |
lp |
Not allowed |
Review the
/etc/svc.conf
file and ensure that a logical
configuration has been set up for NIS.
Also, if NIS is being used, verify
that the client machines and the server have the correct domain name defined
in the NIS_DOMAIN variable in the
/etc/rc.config
or
/etc/rc.site
file.
Ensure that the network files in the following table are protected:
| File | Comment |
/etc/exports |
Validate the entries.
Avoid using
the
-root=
option if possible.
Use the
-access=<hostname>
and
-ro
options
on all specified file systems |
/etc/hosts |
|
/etc/services |
|
/etc/protocols |
|
/etc/inetd.conf |
|
/etc/hosts.equiv |
Validate that the entries are local hosts. |
/etc/ethers |
|
~username/.rhosts |
Remove these files or run
rlogind
and
rshd
with the
-l
flag set. |
An important part of your site's security is the physical security of all the components in the environment. Check your physical security as follows:
Verify that the system and its cabling are in a secure environment.
Verify that all network components are physically secured. These include file servers, bridges, routers, hubs/concentrators, gateways, terminal servers, and modems.
From the console prompt, ensure that the boot flags are set according to your site policy using the following command:
>>>show
If your system supports the console password feature, ensure that it is being used. Consult your hardware documentation for information on console password support.
Verify that a console terminal's function keys have not been programmed for login or password information.
Ensure that modems have an automatic disconnect feature. Also make sure modems are in a secure environment.
To ensure the security of application software running on your system, make sure that the following conditions are met:
Restrict any
setuid
or
setgid
programs.
Ensure that any control files and executable files are writable only by root.
If a firewall product is installed, see the firewall's documentation for the appropriate configuration information.
If you are running the
screend
program,
configure as described in the
screend(8) reference page.
If you have tunneling software installed, ensure that it is secure, as described in its documentation.
F.7 Periodic Security Administration Procedures
The frequency of the different classes of review activities is determined by your site's security policy. Perform the following activities on a regular schedule:
Back up the system and its applications.
Review the audit logs.
Review the system accounting logs.
Run the
fverify
and
authck
programs to verify the integrity of your system.
Some public domain programs,
such as
cops
and
tripwire, are useful
to help verify system integrity.
Verify that your system has only necessary and authorized programs.
Verify that compilers are only available on systems used for development.
Verify that your system has only authorized root-owned
setuid
and
setgid
programs using the following
command:
#find / \( -perm -4000 -o -perm -2000 \) -ls
Review the
/etc/exports
file to verify
that all entries are valid.
Check your user accounts as follows:
Review the
/etc/passwd
file to verify that
all accounts are still valid.
Run the following command to ensure there no enhanced profiles
(prpasswd
entries) without
/etc/passwd
entries:
#/usr/tcb/bin/convuser -dN
Verify that the home directory permissions are set according to your site policy.
Verify that all files in a user's home directory are owned by that user.
Verify that each user has a valid entry path (login shell) on the system.
Verify that entries in a
.rhosts
or
.netrc
file are appropriate.
Verify that that any
.exrc
and
.netrc
files are located only in user home
directories.
Review the
hosts.equiv
file for valid entries.
Ensure that entries in the following files do not conflict with system parameters and that the files are protected by a permission of 755:
.profile .login .cshrc .kshrc .logout
Verify that user masks are set in accordance with your site policy using the following command:
#grep umask /usr/users/*/.*
The system default mask is set to 022.
Review the
/dev
directory and verify the
following:
That special devices have the proper permission.
That access to devices such as
mem,
kmem, and
swap
are properly protected (440).
That terminal ports are readable only by the owner.
That users do not own any devices other than their terminal device and their printer.
Verify that your modem authentication is functioning as intended.
Use the following commands to verify that the same user name
is not used for different UIDs, including between the local
/etc/passwd
file and NIS:
#( ypcat passwd ; grep -v '^[-+]' /etc/passwd ) | \sort -t: -k 1,1 -k 3,3n -u | \awk -F: '{if (n == $1) {print p; print}; \n=$1; p=$0}' | \more
Use the following commands to verify that no user names use
the same UID, including between the local
/etc/passwd
file
and NIS:
#( ypcat passwd ; grep -v '^[-+]' /etc/passwd ) | \sort -t: -k 3,3n -k 1,1 -u | \awk -F: 'BEGIN {u=-1} {if (u == $3) \{print p; print}; u=$3; p=$0}' | \more
Use both of the following commands to verify that all accounts have local or NIS passwords:
#sort -t: -n /etc/passwd | awk -F: '$2 == "" print'#/usr/tcb/bin/edauth -g | sed -f sed_file | egrep -v \':u_pwd=[^:]|:u_istemplate:'
The commands in
sed_file
are as follows:
: top
/:\\$/ {
N
b top
}
s/:\\/:/g
s/:[<tab><space>]*:/:/g
s/:[<tab><space>]*:/:/g
Use the following command to validate all the hidden files on your system:
#find / \( -name '.*' ! -name . ! -name .. \) -print
Use the following command to verify that no device files exist
outside the
/dev
directory:
#find / \( -type b -o -type c \) -print
Ensure that entries in the following startup scripts are appropriate and that the files are properly protected:
/sbin/inittab /etc/init.d /sbin/rc?.d ? is the run level
Ensure that the data saved in
/var/adm/crash
in the event of a system crash is accessible only to
root
and
adm
users.
Using a password cracker program such as the public domain
crack
program, ensure that user passwords cannot be determined.
Verify your site's physical security as described in Section F.5.
Verify the permissions and ownership on the following directories:
| Correct | Correct | Correct | |
| Directory | Permission | Owner | Group |
/ |
755 | root | system |
/bin |
755 | root | system |
/dev |
640 | root or bin | system |
/dev/null |
666 | root | system |
/dev/ttys |
666 | root | system |
/etc |
755 | root | system |
/etc/rc.config |
755 | bin | bin |
/etc/exports |
644 | root | system |
/etc/passwd |
644 | root | system |
/etc/resolv.conf |
644 | root | system |
/etc/screend.config |
755 | root | system |
/etc/sec |
755 | root | system |
/home |
555 | root | system |
/lib |
755 | root | system |
/opt |
755 | root | system |
/sbin |
755 | root | system |
/sys |
755 | root | system |
/tcb |
755 | root | system |
/tmp |
1777 | root | system |
/usr |
755 | root | system |
/usr/bin |
755 | root | system |
/usr/lib |
755 | root | system |
/usr/ucb |
755 | root | system |
/usr/ucb |
755 | root | system |
/var |
755 | root | system |
/var/adm |
755 | root | system |
/var/adm/crash |
700 | root | system |
/var/adm/cron |
755 | root | system |
/var/spool |
755 | root | system |
/var/spool/cron |
755 | root | system |
/var/spool/cron/atjobs |
755 | root | system |
/var/spool/cron/crontabs |
755 | root | system |
/var/spool/cron |
755 | root | system |
/var/tcb |
755 | root | system |
/var/tcb/audit |
755 | root | system |
/var/tcb/bin |
755 | root | system |
/var/tcb/files |
755 | root | system |
The following documents will help you create and maintain a secure computing environment:
Site Security Handbook (RFC 1244) This handbook is the product of the Site Security Policy Handbook Working Group, a combined effort of the Security Area and User Services Area of the Internet Engineering Task Force.
Tru64 UNIX Installation Guide
Tru64 UNIX and Installation Guide -- Advanced Topics
Trusted Computer System Evaluation Criteria
U.S.
Department of Defense, National Computer Security Center, DoD 5200.28-STD,
December, 1985.
This document, known as the
Orange Book
because of the color of its cover, is the U.S.
Government's definitive guide
to the development and evaluation of trusted computer systems.
An online copy
of the
Orange Book
is available at
http://nsi.org/Library/Compsec/orangebo.txt
Password Management Guideline U.S. Department of Defense, (CSC-STD-002-85), April 12, 1985. This document, known as the Green Book because of the color of its cover, supports the Orange Book by presenting a set of recommended practices for the design, implementation, and use of password-based user authentication mechanisms.
The following documents will help you understand security concepts and procedures:
Computer Security Basics - O'Reilly and Associates, Inc.
Practical UNIX Security - O'Reilly and Associates, Inc.
UNIX: Its Use, Control, and Audit - Contact the Institute of Internal Auditors Research Foundation at 249 Maitland Avenue, Altamonte Springs, Florida 32701-4201.
The following tools can help you maintain a secure environment:
crack
A public domain password-checking
program available at
ftp://ftp.cert.org/pub/tools/crack/.
tripwire
An integrity-monitor for UNIX
systems.
The
tripwire
software uses several checksum/signature
routines to detect changes to files and to monitor selected items of system-maintained
information.
The program also monitors for changes in permissions, links,
and sizes of files and directories.
The
tripwire
package
can be downloaded from
ftp://coast.cs.purdue.edu/pub/COAST/Tripwire/.
COPS
The Computer Oracle and Password System
(COPS) package from Purdue University examines a system for a number of known
weaknesses and alerts the system administrator to them; in some cases it can
automatically correct these problems.
The COPS package can be downloaded from
ftp://ftp.cert.org/pub/tools/cops/.
SATAN
SATAN is a tool that helps system
administrators recognize several common networking-related security problems.
It reports the problems without actually exploiting them.
For each type of
problem found, SATAN offers a tutorial that explains the problem and what
its impact could be and what can be done about the problem.
SATAN and several
other security tools and documents are available at Wietse Zweitze Venema's
Web site at
ftp://ftp.win.tue.nl/pub/security/index.html.
The following script is an example of a tool you can create to extract login and logout information from the audit logs:
#!/usr/bin/ksh -ph
# Script to return summary of login/logout activities on the
# system since the last time it was run.
export PATH=/usr/sbin:/usr/bin:/usr/ccs/bin:/sbin
# where this script should run
Bdir=/var/adm/local
# where to find audit log files
Adir=/var/audit
Ofile="${Bdir}/lasttime"
Nfile="${Bdir}/newtime"
Afile="${Bdir}/lastdata"
Tfile="${Bdir}/lastmsg"
Events="-e trusted_event"
umask 077
# ensure the output format we need from date.
export LANG=C LC_ALL=C
export TZ=:UTC
if [ ! -f "${Ofile}" ]
then
print 700101000001 > "${Ofile}"
touch -t 197001010000.01 "${Ofile}"
fi
date +%y%m%d%H%M%S > "${Nfile}"
curfile=$(auditd -q)
auditd -dx
sleep 20 # give time for compression of the old log
while [ -f "$curfile" -a -f "$curfile".Z ] || [ -f "$curfile" \
-a -f "$curfile".gz ]
do
sleep 2 # wait some more
done
: > "${Afile}"
for af in $(find "$Adir" -name "auditlog.*" -newer "${Ofile}" \
-print | sort)
do
audit_tool -b -t $(<"${Ofile}") -T $(<"${Nfile}") >> \
"${Afile}" -o -Q $Events "${af}" 2>/dev/null
# the suppressed errors are for the {un,}compressed messages
done
TZ=:localtime
if [ -s "${Afile}" ]
then
audit_tool -B -Q "${Afile}" > "${Tfile}"
if [ -s "${Tfile}" ]
then
Mail -s 'login/out audit summary' root < "${Tfile}"
fi
fi
mv -f "${Nfile}" "${Ofile}"
rm -f "${Afile}"
The following is the crontab entry for the above logging script:
0 9 * * * /var/adm/local/lreport