UNIX Computing Security/Useful tools

Suggested topics: COPS, TIGER, sudo, md5, nfsbug, tripwire, OpenSSH, Linux Virtualization, SNORT, IDS/IPS, IPTables.


There are a number of commercial and free software tools available that are designed to help the System Administrator strengthen the security of their system. Depending on the security requirements, a number of these utilities can be employed on a regular basis to strength-check their system security, look for indications of an attack or a compromised system, and implement more secure procedures.

COPS

edit

This venerable package consists of a series of scripts and binaries that can be used to check some basic security configurations on a UNIX system. The last update to this package was version 1.04, released in 1991. hence this tool is starting to show its age, and may require some fine tuning to operate on a modern version of UNIX. The output will vary according to the UNIX vendor and OS version. (There is also a perl version included in the package, but was based on a much older version of perl and is known to have some bugs.)

The following groups of checks are performed by the COPS utility:

  1. Check selected system directories for world-write permissions.
  2. Check specific system files for world-write permissions.
  3. Check all files on the system for setuid status and note changes.
  4. Check for insecure entries in the /etc/passwd file.
  5. Check the format of the /etc/group file.
  6. Check the root account PATH, umask, and for a root entry in the /etc/ftpuser.
  7. Check for world-writeable files in /etc/rc*.
  8. Check for world-writeable files in /usr/lib/crontab.
  9. Check specific startup and configuration files in the user home directories.
  10. Use the U-Kuang rules-based expert system to check for potential security exploits.

Checksum utilities

edit

There are UNIX utilities such as cksum and md5 that can be used to read the contents of a file and produce a one-way hashed values, or checksums, as an output. The value of the resulting string will change whenever the contents of a file is changed, so this utility can be used to check whether a downloaded file has been tampered with inappropriately. The string can also be used to check whether a file was corrupted during the download process.

For example,

$ mdf important_data.pdf
MD5 (important_data.pdf) = 46df33cb1473394c32a8910d162eb913

Whenever a System Administrator downloads a program or patch that will be executed on a UNIX system, it is important that the checksum of the file be compared with the value at a secure source. This will help to protect the system from illicit tampering. Many vendors will provide checksum values for the downloadable files that they make available. When possible, a stronger utility such as md5 should be used instead of cksum, as this will make it vastly more difficult for an attacker to produce a tampered file that has the same checksum.

Checksums can also be used to validate the binary commands on a system. Some integrity-checking utilities such as tripwire use multiple checksum programs to search for file modifications.

OpenSSH

edit