Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Unix Hardening History

News See also Recommended Links Books Static System Scanners Solaris Specific issues Specialised Scanners
Faqs RFCs Archives Cops
(audit, dead)
Tiger
(audit, dead)
YASSP
(dead ?)
Bastille
(RH Linux only hardening, very weak, needs work)
Best Unix Security Papers Slightly Skeptical Notes on Titan Skeptic View on Unix Security Solaris Security Toolkit (JASS) Notes Humor  Random Findings Etc

Note: This page contains only historically important information about such milestones in Unix hardening as

 Current information is located at  Softpanorama Hardening page

Dr. Nikolai Bezroukov

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

News

Perl Cops disguided as cops-1.04.tgz (i386)

AP. Lawrence SCO Unix Consultant Security COPS SCO port ?


Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Top articles

Sites

Below are historically important documents that are still available on the Internet:


Archives


FAQs

Useful Usenet FAQs

FAQ Network Intrusion Detection Systems

Security archive

Security Audit FAQ

Technical Whitepapers and Publications


RFCs

New Site Security Handbook -- old but useful

Old Site Security Handbook -- the original version: mainly historical value


Generic Historically Important
System Scanners and Hardening Scripts

COPS Tiger

YASSP
(Solaris)

Sherpa Etc
  • YASSP -- (abandoned) set of hardening scripts and installation of additional tools for Solaris

    *** Dead ? YASSP Yet Another Solaris Security Package by Jean Chouanard, Xerox PARC. Jean Chouanard left Xerox PARC and the development is stalled. The main attraction is the YASSP functionality includes installation of TCP Wrappers, Tripwire and several other tools. Bravo Jean !!!. Sysadmins are notoriously lazy and installing TCP Wrappers for them is a valuable service ;-) Like titan it uses Fix-modes script to correct permissions of critical files and directories. This scripts also contain a promising idea of creating the central configuration file for yassp.conf that controls the behavior of other scripts. It requires a competent administrator to use.

    See What's new on more current information on updates of the paper and package.

    SECclean internals

    Yassp Post installation steps -- a very good paper that contain an excellent list of Solaris hardening resources

    How-to:

    This is a short "how to", dedicated to people having to deal with host security under solaris 2.6//7 and 8

    The goal is to install Solaris and have a good host security without having to spent hours in modification. Also, as the basic configuration will be standard, I have add a set of useful tools compiled and package to make their installation easiest. At the end, the install should be *clean* (= "pkgchk -n" has no error)

    The first step is to disable everything which is not needed.

    Each package will install their default configuration files if they do not exist, and run any init script if needed. They won't delete their configurations files at the de-install time which ease your work for updating these package.

    We have used this packaging to install files servers, ftp servers, NIS servers, firewalls and host. It is quite nice not to have to wonder how to do that and very useful to be able to update package independently.

    As the source of the SECclean package are available, it is easy for you to copy it and to localize it so it will reflect your configuration. From this package, we have derived different classes of package to install NIS server, NFS server and end user workstation.

    For more information on the SECclean package and on how to localize it to meet your need, see: ftp://ftp.parc.xerox.com/pub/jean/solins/secclean.html

    Files Installed:

    Installed files are listed in the prototype file.


    Tiger

    *** TAMU Tiger -- abandonware generic Unix audit tool. No longer supported...
    In some respects it's similar to cops in some (but not all) areas more advanced. Decent architecture. Actually it's still can be considered to be a pretty decently written set of Borne scripts (it can probably be used for studying Borne shell programming). In a certain sense it can be considered as a derivative of Cops, but with significant degree of original effort and talent.

    Code base is largely outdated because of availability of ksh93 and Perl, but vulnerabilities are not . Despite an old age Tiger still is able to find some relevant vulnerabilities on any freshly installed system to say nothing about misconfigured later by joint effort of sysadmin(s) and users ;-).
    Produces a lot of false positives and incorrectly found vulnerabilities, so report needs to be manually analyzed. There are two distributions:
    1. tiger-2.2.3p1 is the final original TAMU distribution, with the check_devs and the check_rhosts fix applied.
    2. tiger-2.2.4p1 is the 2.2.3p1 plus some changes to support Linux. Actually changes from 2.2.3 are pretty minor. Produces a lot of false positives
    Architecture is similar to Cops with some extensions (the idea of preprocessing of system files to simplify checks, directories with customarization for each flavor of operating system supported, etc). But Borne shell is much less expressive than Perl and as a result the coding is much more obscure and beyond redemption. IMHO Rewriting in Perl or other scripting language is the the most viable option for further development. See readme and tamu_summary.txt for more information.

    Developer directory: Directory of -packages-security-TAMU -- do not expect much, anyway ;-)

    Derivatives:

    TARA (Tiger Analytical Research Assistant) -- This is not a new product but ripware -- renamed original package (Tiger 2.2.3) with just minor bugfix ( IMHO it fixes only one error (env. GROUPS variable should be better renamed to GROUPSS or any other name because of the conflict with existing global env. variable of some Unix systems). Fix was made by Ripclaw on July 31st 1999, but since then development seems stopped. See web site TARA - Tiger Analytical Research Assistant, if it's still alive.


    COPS (Computer Oracle and Password System)

    *** Largely outdated abandonware written by Dan Farmer. Available from ftp.cert.org and many other places but has mainly historical importance(the last vertion -- 1.02 is dated by 1991).

    Historically this was the first widely available set of scripts that identifies security risks on a Unix system. It checks for empty passwords in /etc/passwd, world-writable files, misconfigured anonymous ftp and several other vulnerabilities. Last version is 1.02. Produces several reports that can be integrated by carp tool:

    There are several derivatives: Perl Cops and, to a certain (limited) extent, Tiger and Titan (see below).

    Abstract: This is a perl version of Dan's version of Bob Baldwin's Kuang program (originally written as some shell scripts and C programs). Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and you have to do a lot of them, can specify target (uid or gid) on command line, can use -l option to generate PAT for a goal, can use -f to preload file owner, group and mode info, which is helpful in speeding things up and in avoiding file system 'shadows'.


    Shepra

    sherpa - a system security configuration tool for GNU-Linux -- abandoned tool that can provide a good starting ground for additional work.

    sherpa inventories basic filesystem security (permissions, file ownership) and creates a report of what it finds. It can also be used as a remedial tool, one that will change file permissions and ownership according to the modes listed in perms.lst.

    sherpa will do a series basic check of RedHat GNU/Linux 5.x/6.x and SuSE 6.0 filesystems and should be run (a) after inital installation of the operating system and then (b) periodically. Many of the checks performed herein are based on sources I have studied and found useful.

    sherpa performs the following checks on your local filesystems:

    1. Checks for SUID and SGID files
    2. Checks for world writable files
    3. Checks for .rhosts and hosts.equiv files
    4. Summarizes configured network services (via inetd) and checks for use of tcp_wrappers
    5. Checks for use of shadow passwords
    6. Checks file and directory permissions, as well as ownership against a set list (a sample list for RedHat 6.x is here)

    Also, sherpa is written in Perl because of ease of use when it comes to report generation and system administration needs. While I'm sure a C program would be faster, it would be a lot less *practical* than a Perl script and less amenable to localized tweaking as the need to do so arises.

    Features


    Specialized Scanners

    Firewall-1

    NetBios X Rservices Etc

    Firewall-1

    Firewall-1 Table Script 1.0
    by Lance Spitzner
    <http://www.enteract.com/~lspitz/fwtable.html>

    The purpose of this PERL script is to help you gain a better understanding of Check Point FW-1's stateful inspection table. This table is where FW-1 maintains all concurrent... [ more ]

    IDS Alert Script for FW-1 1.3
    by Lance Spitzner
    < http://www.enteract.com/~lspitz/intrusion.html >
    Platforms: Solaris
    Size: 18.00Kb
    Score: Not scored yet

    Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.

    Firewall Info (Firewall-1)
    by Jason R. Rhoads
    < http://www.sabernet.net/software/ >
    Platforms: Solaris
    Size: 5.94Kb
    Score: Not scored yet

    This is a modified version of the fwobjects.pl script posted to the # fw-1-mailinglist. Author unknown. It's purpose is to document FireWall-1 security policies in HTML (Unix).

    IDS Alert Script for FW-1 1.3
    by Lance Spitzner
    < http://www.enteract.com/~lspitz/intrusion.html >
    Platforms: Solaris
    Size: 18.00Kb
    Score: Not scored yet

    Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.

    NetBIOS Auditing Tool

    Homepage: http://www.secnet.com/ntinfo/ntaudit.html

    The NetBIOS Auditing Tool, or NAT for short is a completely free tool meant to audit NetBIOS file shares and password integrity on Windows NT and UNIX machines running SAMBA.

    Nfsbug

    This utility tests host for well known NFS problems. Among these tests include finding world exported file systems, determine whether export restrictions work, determine whether file systems can be mounted through the portmapper, try to guess file handles, and excercise various bugs to access file systems.

    See also Chris Metcalf's hacks

    CheckXusers - Checks every user logged onto a system for unrestricted X-windows access

    Rservices

    Michele D. Crabb, Raudit


    Abstract: raudit is a Perl script which audits each user's .rhosts file and reports on various findings. Without arguments raudit will report on the total number of rhosts entries, the total number of non-operations entries (entries for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries (entries for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entrie is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).

    X

    See also Securing X Windows

    Title:checkXusers
    Authors: Bob Vickers
    File size: 3232 bytes
    Abstract:

    This script checks for people logged on to a local machine from insecure X servers. It is intended for system administrators to check up on whether users are exposing the system to unacceptable risks. Like many commands, such as finger(1), checkXusers could potentially be used for less honorable purposes. checkXusers should be run from an ordinary user account, not root. It uses kill which is pretty dangerous for a superuser. It assumes that the netstat command is somewhere in the PATH. Table of Contents


    Random Findings

    Suse Tools

    Linux Today SuSE Security Announcement - new security tools

    Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm

    SBScan

    Homepage: http://www.haqd.demon.co.uk/security.htm

    Download: TUCOWS Linux Download Page for SBScan 0.05

    Weak. Simple shell script plus couple of C program. Nothing special.

    SBScan is a localhost security scanner. It checks for numerous security problems on a linux box. Written by and for slackware linux primarily, but should run on any linux based system. Currently checks loads of stuff, such as unpassworded accounts, MD5 sums, inetd.conf, ports open, shadow passwords, groups, tcp wrappers, anonymous FTP, people grabbing passwd files, log file permissions, dir permissions, NFS exports, X hosts, rootkits, suspicious files, Rhosts, suid programs in user areas, promisc checks, subnet promisc checks, etc.

    Check.pl by Miscellaneous Code, Inc.

    Audit

    Download: [ packet storm ] -packetstorm.securify.com
    Homepage: Jeff Tranter's Home Page

    audit check files in home directory for strange permission, ownership, etc. Feb 07th 1999, 22:10 stable: none - devel: 0.2

    Merlin by CIAC
    Merlin is a http front-end system that allows point and click internal vulnerability scanning. Merlin runs in conjunction with the Netscape browser and any security package, such as COPS, Crack, TAMU-tiger, etc. Simply download desired security packages and then run merlin. Merlin makes system scanning easy with its innovative http interface. Merlin is a useful tool for system administrators who have little time to perform the necessary security scans. ToC

    Hobgoblin Kenneth Rich and Scott Leadley. hobgoblin: A File and Directory Auditor. In Proceedings of the Fifth Large Installation Systems Administration Conference, page p. 199. USENIX Association, Berkeley, CA, September 1991. 44

    Hobgoblin checks file system consistency against a description. Hobgoblin is a language and an interpreter. The language describes properties of a set of hierarchically organized files. The interpreter checks the description for conformity between the described and actual file properties. The description constitutes a model for this set of files. Consistency Ondishko checking verifies that the real state of these files corresponds to the model, flagging any exceptions. Hobgoblin can verify conformity of system files on a large number of systems to a uniform model. Relying on this verification, system managers can deal with a small number of conceptual models of systems, instead of a large number of unique systems. Also, checking for conformity to an appropriate model can enhance system reliability and security by detecting incorrect access permissions or non-conforming program and configuration files.

    chkacct v1.1, by Shabbir Safdar : Chkacct was designed to complement tools like COPS and Tiger. Instead of checking for configuration problems in the entire system, it is designed to check the settings and security of the current user's account. It then prints explanatory messages to the user about how to fix the problems. It may be preferable to have a security administrator ask problem users to run chkacct rather than directly alter files in their home directories.

    noshell, by Michele D. Crabb,
    Noshell provides an informative alternative to /bin/false.



    Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: September, 12, 2017