Unix Hardening History

Note: This page contains only historically important information about such milestones in Unix hardening as

• COPS (1991)
• Tiger  (1992)
• Titan (in a separate article)

 Current information is located at  Softpanorama Hardening page

Dr. Nikolai Bezroukov

NEWS CONTENTS

News

Perl Cops disguided as cops-1.04.tgz (i386)

• doclib.org - -Linux-system-security-cops_104_linux -- Modification for Linux ?

• .[packet storm]. - http--packetstormsecurity.org -- same packages

AP. Lawrence SCO Unix Consultant Security COPS SCO port ?

Recommended Links

Softpanorama Recommended

Top articles

Sites

Below are historically important documents that are still available on the Internet:

• Secure_Sun Author: David Safford File size: 11918 bytes

  This program checks for 14 common SunOS configuration security loopholes. It has been tested only on SunOS4.0.3 on Sun4, Sun3, and Sun386i machines. Each test reports its findings, and offers to fix any discovered problems. The program must be run as root to fix any of the problems but, it can be run from any account by replying \'n\' to any fix requests.

• CERT UNIX Configuration Guidelines-This document describes common UNIX system configuration problems that have been exploited by intruders and recommends practices that can be used to help deter several types of break-ins. We encourage system administrators to review all sections of this document and modify their systems to fix potential weaknesses.
• An Architectural Overview of UNIX Network Security -- A historically important overview by Robert B. Reinhardt.
• AusCERT UNIX Computer Security Checklist -- The Australian Computer Emergency Response Team has developed a checklist which assists in removing common and known security vulnerabilities under the UNIX Operating System. It is based around recently discovered security vulnerabilities and other checklists which are readily available
• Index of /pub/hacker/unix -- a lot of historically important tools

Archives

• ftp.auscert.org.au - Coast mirror

• The BioHazard HQ, Tools Page.

• Index of -public-security-tools

• OAK Software Repository

• tools.html

• Software Repositories in the Web

FAQs

Useful Usenet FAQs

• secure-programming
• firewalls-faq
• anonymous-ftp-faq -- old largely obsolete
• compromise-faq -- old, largely obsolete

FAQ Network Intrusion Detection Systems

Security archive

Security Audit FAQ

• Linux Help Online
• faq.txt

Technical Whitepapers and Publications

RFCs

New Site Security Handbook -- old but useful

Old Site Security Handbook -- the original version: mainly historical value

Generic Historically Important
System Scanners and Hardening Scripts

YASSP -- (abandoned) set of hardening scripts and installation of additional tools for Solaris

*** Dead ? YASSP Yet Another Solaris Security Package by Jean Chouanard, Xerox PARC. Jean Chouanard left Xerox PARC and the development is stalled. The main attraction is the YASSP functionality includes installation of TCP Wrappers, Tripwire and several other tools. Bravo Jean !!!. Sysadmins are notoriously lazy and installing TCP Wrappers for them is a valuable service ;-) Like titan it uses Fix-modes script to correct permissions of critical files and directories. This scripts also contain a promising idea of creating the central configuration file for yassp.conf that controls the behavior of other scripts. It requires a competent administrator to use.

See What's new on more current information on updates of the paper and package.

SECclean internals

Yassp Post installation steps -- a very good paper that contain an excellent list of Solaris hardening resources

How-to:

This is a short "how to", dedicated to people having to deal with host security under solaris 2.6//7 and 8

The goal is to install Solaris and have a good host security without having to spent hours in modification. Also, as the basic configuration will be standard, I have add a set of useful tools compiled and package to make their installation easiest. At the end, the install should be *clean* (= "pkgchk -n" has no error)

The first step is to disable everything which is not needed.

Each package will install their default configuration files if they do not exist, and run any init script if needed. They won't delete their configurations files at the de-install time which ease your work for updating these package.

We have used this packaging to install files servers, ftp servers, NIS servers, firewalls and host. It is quite nice not to have to wonder how to do that and very useful to be able to update package independently.

As the source of the SECclean package are available, it is easy for you to copy it and to localize it so it will reflect your configuration. From this package, we have derived different classes of package to install NIS server, NFS server and end user workstation.

For more information on the SECclean package and on how to localize it to meet your need, see: ftp://ftp.parc.xerox.com/pub/jean/solins/secclean.html

Files Installed:

Installed files are listed in the prototype file.

• /etc/shells : defaults shells, from getusershell(3C)
• /etc/ftpusers : list of denied users for ftp: by default all the existing system users.
• /usr/bin/openwin : a shell wrapper to *try* to avoid stating openwin without rpcbind running as it will hang the workstation.
• /etc/hosts.equiv : empty. Just to control it, as being installed with the right mode and part of the package.
• /.rhosts : empty. Just to control it, as being installed with the right mode and part of the package.

• /var/adm/loginlog : empty. Solaris will log bad login attend if this file exist.

  Files Replaced:

  Files replaced are handle by the postinstall script. See next section "Package modification". The postinstall script defined this list as its internal variable SA

  • /etc/inet/services: add various useful services not part of SUN distribution as the SecurID ACE services or for the FWTK (TIS)
  • /etc/profile : minor changes include /opt/local on the PATH and MANPATH
  • /etc/passwd : based on the distributed passwd file, just disable all system login
  • /etc/syslogd.conf : some cleanup. Nothing should be write on the console.
  • /var/spool/cron/crontabs/root : cleanup.
  • /etc/default/su : PATH and SUPATH to include /opt/local/bin.
  • /etc/default/login : PATH and SUPATH to include /opt/local/bin. Enforce 'CONSOLE=/dev/console' so that root can only login from the console.
  • /etc/default/inetinit : Enforce 'TCP_STRONG_ISS=2' RFC 1948 sequence number generation, unique-per-connection-ID.

  Files Modified:

  • /etc/inet/inetd.conf : all services turn OFF by default. Easy! :-)
  • /etc/pam.conf : turn off rhosts_auth
  • /etc/system : increase File descriptor limits, BSD style ptys and SVR4 style ptys. Attempt to prevent and log stack-smashing attacks. enable advanced memory paging technique.

  Files Deleted:

  Files deleted are Handle by the postinstall script. See next section "Package modification". The postinstall script defined this list as its internal variable SD

  • "/etc/auto_home /etc/auto_master /etc/dfs/dfstab /var/spool/cron/crontabs/adm /var/spool/cron/crontabs/sys /var/spool/cron/crontabs/lp /var/spool/cron/crontabs/uucp"

  RC files:

  Most of these modifications are done in the postinstall script. See next section "Package modification".

  RC files Deleted

  The postinstall script defined this list as its internal variable RC

  Long list of RC files turn off : "cacheos cachefs.root asppp uucp cachefs.daemon xntpd spc rpc autoinstall nfs.client autofs nscd lp nfs.server volmgt PRESERVE sendmail cacheos.finish sysid.sys sysid.net snmpdx dmi dtlogin power init.dmi init.snmpdx".

  These names are the name of the init files located in the /etc/init.d directory. For all the links existing under any /etc/rc?.d/ directory, the postinstall script will delete these link and write a trace trace log under /etc/rc?.d/Disable-By-SECclean which enable you to re-create the link if needed.
  If you need to re-enable some of these RC file, you can either re-create the package to fit your need (see Package modification) or just manually recreate the link after the install.

  RC files Replaced

  The postinstall script defined this list as its internal variable NRC

  • inetsvc
  • inetinit

  These files are based on the SUN distribution files, but have been simplify.

  RC files Added

  • /etc/init.d/nettune with link from /etc/rcS.d/S31nettune. It is based on Jens-S. Vöckler IP tuning script for Solaris (See his Very good page on tcp tuning under solaris).
  • /etc/init.d/umask.sh with a symbolink from: etc/rc0.d/S00umask.sh, etc/rc1.d/S00umask.sh, etc/rc2.d/S00umask.sh, etc/rc3.d/S00umask.sh, etc/rcS.d/S00umask.sh to control/force the UMASK by default of deamons.

---

Tiger

*** TAMU Tiger -- abandonware generic Unix audit tool. No longer supported...

In some respects it's similar to cops in some (but not all) areas more advanced. Decent architecture. Actually it's still can be considered to be a pretty decently written set of Borne scripts (it can probably be used for studying Borne shell programming). In a certain sense it can be considered as a derivative of Cops, but with significant degree of original effort and talent.

Code base is largely outdated because of availability of ksh93 and Perl, but vulnerabilities are not . Despite an old age Tiger still is able to find some relevant vulnerabilities on any freshly installed system to say nothing about misconfigured later by joint effort of sysadmin(s) and users ;-).

Produces a lot of false positives and incorrectly found vulnerabilities, so report needs to be manually analyzed. There are two distributions:

1. tiger-2.2.3p1 is the final original TAMU distribution, with the check_devs and the check_rhosts fix applied.
2. tiger-2.2.4p1 is the 2.2.3p1 plus some changes to support Linux. Actually changes from 2.2.3 are pretty minor. Produces a lot of false positives

Architecture is similar to Cops with some extensions (the idea of preprocessing of system files to simplify checks, directories with customarization for each flavor of operating system supported, etc). But Borne shell is much less expressive than Perl and as a result the coding is much more obscure and beyond redemption. IMHO Rewriting in Perl or other scripting language is the the most viable option for further development. See readme and tamu_summary.txt for more information.

Developer directory: Directory of -packages-security-TAMU -- do not expect much, anyway ;-)

Derivatives:

TARA (Tiger Analytical Research Assistant) -- This is not a new product but ripware -- renamed original package (Tiger 2.2.3) with just minor bugfix ( IMHO it fixes only one error (env. GROUPS variable should be better renamed to GROUPSS or any other name because of the conflict with existing global env. variable of some Unix systems). Fix was made by Ripclaw on July 31st 1999, but since then development seems stopped. See web site TARA - Tiger Analytical Research Assistant, if it's still alive.

---

COPS (Computer Oracle and Password System)

*** Largely outdated abandonware written by Dan Farmer. Available from ftp.cert.org and many other places but has mainly historical importance(the last vertion -- 1.02 is dated by 1991).

Historically this was the first widely available set of scripts that identifies security risks on a Unix system. It checks for empty passwords in /etc/passwd, world-writable files, misconfigured anonymous ftp and several other vulnerabilities. Last version is 1.02. Produces several reports that can be integrated by carp tool:

• Carp is a data analysis tool for cops output, primarily designed for use analyzing a cops directory tree full of cops output (presumably from a network of data.) It looks in the cops main directory (by default) and finds all subdirectories (and hence hostnames) containing cops reports (they are named something like "1992_Dec_31".) It then runs two subprograms; a report analyzer ("carp.anlz") and a table generator ("carp.table".) The final output will look something like:

  # hostname rep date crn dev ftp grp hme is pass msc pwd rc rot usr
  # ===========================================================================
  # neuromancer 1992_Jan_27 | 1 | | 2 | | 1 | 2 | | | 2 | 2 | 2 | |
  # sun 1992_Jan_26 | | | 2 | 2 | 1 | 2 | | | 2 | 2 | | 1 |
  # death 1992_Jan_15 | | | | 2 | 1 | 2 | | | | | 0 | |
  #
  The date is the date the cops report was created, the other headers correspond to the various checks that cops runs; "cron.chk", "ftp.chk", etc. The number refers to the severity of the most serious warning from that host on that particular check:

  0 == a problem that, if exploited, can gain root access for an intruder
  1 == a serious security problem, such as a guessed password.
  2 == a possibly serious security problem, but one that is difficult
  to analyze via a mere program. Look at the problems in question,
  and decide for yourself.
  Blanks mean that no problem was found (*not* that no problem exists!) If the -x flag was used, the pathname to the report file is printed after the corresponding report line for the host.

  All of these numbers are in the carp.anlz program; they can be modified to best suit your needs... and, of course, you should look at the actual cops report for more information on the specific problems encountered.

There are several derivatives: Perl Cops and, to a certain (limited) extent, Tiger and Titan (see below).

• Steve Romig, Perl Cops -- Perl4 abandonware, not very usable Index of -public-security-tools

Abstract: This is a perl version of Dan's version of Bob Baldwin's Kuang program (originally written as some shell scripts and C programs). Features including Caches passwd/group file entries in an associative array for faster lookups. This is particularly helpful on insecure systems using YP where password and group lookups are slow and you have to do a lot of them, can specify target (uid or gid) on command line, can use -l option to generate PAT for a goal, can use -f to preload file owner, group and mode info, which is helpful in speeding things up and in avoiding file system 'shadows'.

Shepra

sherpa - a system security configuration tool for GNU-Linux -- abandoned tool that can provide a good starting ground for additional work.

sherpa inventories basic filesystem security (permissions, file ownership) and creates a report of what it finds. It can also be used as a remedial tool, one that will change file permissions and ownership according to the modes listed in perms.lst.

sherpa will do a series basic check of RedHat GNU/Linux 5.x/6.x and SuSE 6.0 filesystems and should be run (a) after inital installation of the operating system and then (b) periodically. Many of the checks performed herein are based on sources I have studied and found useful.

sherpa performs the following checks on your local filesystems:

1. Checks for SUID and SGID files
2. Checks for world writable files
3. Checks for .rhosts and hosts.equiv files
4. Summarizes configured network services (via inetd) and checks for use of tcp_wrappers
5. Checks for use of shadow passwords
6. Checks file and directory permissions, as well as ownership against a set list (a sample list for RedHat 6.x is here)

Also, sherpa is written in Perl because of ease of use when it comes to report generation and system administration needs. While I'm sure a C program would be faster, it would be a lot less *practical* than a Perl script and less amenable to localized tweaking as the need to do so arises.

Features

• scanning of system configuration files for common problems
• scanning of file system permissions and ownership bits including SUID/SGID bits
• inventory of world-writable files/dirs
• generates reports (ASCII or HTML) and/or logs of scanning results
• suitable for periodic execution via cron
• can automatically fix permission/ownership problems if desired

Specialized Scanners

Firewall-1

Firewall-1 Table Script 1.0
by Lance Spitzner
<http://www.enteract.com/~lspitz/fwtable.html>

The purpose of this PERL script is to help you gain a better understanding of Check Point FW-1's stateful inspection table. This table is where FW-1 maintains all concurrent... [ more ]

Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.

This is a modified version of the fwobjects.pl script posted to the # fw-1-mailinglist. Author unknown. It's purpose is to document FireWall-1 security policies in HTML (Unix).

Flexible network based IDS script for CheckPoint Firewall-1 installations. Build Intrusion Detection into your firewall. Features include: Automated alerting, logging, and archiving Automated blocking of attacking source Automated identification and email remote site Installation and test script Fully configurable Ver 1.3 Optimized for performance, over 50% speed increase.

NetBIOS Auditing Tool

The NetBIOS Auditing Tool, or NAT for short is a completely free tool meant to audit NetBIOS file shares and password integrity on Windows NT and UNIX machines running SAMBA.

Nfsbug

This utility tests host for well known NFS problems. Among these tests include finding world exported file systems, determine whether export restrictions work, determine whether file systems can be mounted through the portmapper, try to guess file handles, and excercise various bugs to access file systems.

See also Chris Metcalf's hacks

CheckXusers - Checks every user logged onto a system for unrestricted X-windows access

Rservices

Michele D. Crabb, Raudit

Abstract: raudit is a Perl script which audits each user's .rhosts file and reports on various findings. Without arguments raudit will report on the total number of rhosts entries, the total number of non-operations entries (entries for which the hosts is listed in the /etc/hosts.equiv file, the total number of remote entries (entries for which the host is a non-NAS host. raudit will also report on any entries which may be illegal. An entrie is considered illegal if the username does not mach the username from the password file or if the entry contains a "+" or a "-". Raudit is normally run on a weekly basis via a cron job which runs rhosts.audit. The output is mailed to the NAS security analyst(s).

X

See also Securing X Windows

Title:checkXusers
Authors: Bob Vickers
File size: 3232 bytes
Abstract:

This script checks for people logged on to a local machine from insecure X servers. It is intended for system administrators to check up on whether users are exposing the system to unacceptable risks. Like many commands, such as finger(1), checkXusers could potentially be used for less honorable purposes. checkXusers should be run from an ordinary user account, not root. It uses kill which is pretty dangerous for a superuser. It assumes that the netstat command is somewhere in the PATH. Table of Contents

Random Findings

Suse Tools

Linux Today SuSE Security Announcement - new security tools

Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3. By answering 9 questions, the system is reconfigured very tightly. e.g. disabling insecure network services, removing suid/sgid/world-writable permissions which are not critical. RPM: hardsuse.rpm

SBScan

Homepage: http://www.haqd.demon.co.uk/security.htm

Download: TUCOWS Linux Download Page for SBScan 0.05

Weak. Simple shell script plus couple of C program. Nothing special.

SBScan is a localhost security scanner. It checks for numerous security problems on a linux box. Written by and for slackware linux primarily, but should run on any linux based system. Currently checks loads of stuff, such as unpassworded accounts, MD5 sums, inetd.conf, ports open, shadow passwords, groups, tcp wrappers, anonymous FTP, people grabbing passwd files, log file permissions, dir permissions, NFS exports, X hosts, rootkits, suspicious files, Rhosts, suid programs in user areas, promisc checks, subnet promisc checks, etc.

Check.pl by Miscellaneous Code, Inc.

• Check.pl -- rather basic, not much even historical value (see Shepra for a better solution as early Perl hardening tool). Not recommended even as a free codebase.

Audit

audit check files in home directory for strange permission, ownership, etc. Feb 07th 1999, 22:10 stable: none - devel: 0.2

Merlin by CIAC
Merlin is a http front-end system that allows point and click internal vulnerability scanning. Merlin runs in conjunction with the Netscape browser and any security package, such as COPS, Crack, TAMU-tiger, etc. Simply download desired security packages and then run merlin. Merlin makes system scanning easy with its innovative http interface. Merlin is a useful tool for system administrators who have little time to perform the necessary security scans. ToC

Hobgoblin Kenneth Rich and Scott Leadley. hobgoblin: A File and Directory Auditor. In Proceedings of the Fifth Large Installation Systems Administration Conference, page p. 199. USENIX Association, Berkeley, CA, September 1991. 44

Hobgoblin checks file system consistency against a description. Hobgoblin is a language and an interpreter. The language describes properties of a set of hierarchically organized files. The interpreter checks the description for conformity between the described and actual file properties. The description constitutes a model for this set of files. Consistency Ondishko checking verifies that the real state of these files corresponds to the model, flagging any exceptions. Hobgoblin can verify conformity of system files on a large number of systems to a uniform model. Relying on this verification, system managers can deal with a small number of conceptual models of systems, instead of a large number of unique systems. Also, checking for conformity to an appropriate model can enhance system reliability and security by detecting incorrect access permissions or non-conforming program and configuration files.

chkacct v1.1, by Shabbir Safdar : Chkacct was designed to complement tools like COPS and Tiger. Instead of checking for configuration problems in the entire system, it is designed to check the settings and security of the current user's account. It then prints explanatory messages to the user about how to fix the problems. It may be preferable to have a security administrator ask problem users to run chkacct rather than directly alter files in their home directories.

noshell, by Michele D. Crabb,
Noshell provides an informative alternative to /bin/false.

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019