Unix System Administration

1
Unix System Administration

• IT Audit Preparation

2006-08-21
2
Presentation Conventions

• Names (files, users, daemons) are usually in
  bold/etc/syslog.conf
• System dependent or variable items are usually in
  italics /var/sadm/patch/patchnumber/log
• File entries and output are in mono-spaced
  typegt root 8036 c Tue Apr 26 235900 2005
  lt root 8036 c
  Tue Apr 26 235959 2005
• Ä marks a line wrapped to fit on the slide mv
  Solaris_9_Recommended_Patch_Cluster_log
• ÄSolaris_9_Recommended_Patch_Cluster_log.yyyymmd
  d
• ð marks a horizontal tab (09 hex)
• Reference OE is Solaris 9

3
Introduction

• Suggestions for preparing your system prior to
  running script from auditors office and before
  auditors port scan.
• Based on script supplied by schools most recently
  audited script name is comcol06.
• Primary focus is on audit, not on making your
  system more secure.

4
Introduction continued

• Comments within the script help with what the
  auditors are looking for, but sometimes may have
  to guess.
• References to website refer to IIPS page
  http//nciips.cc.nc.us/Standards.html section
  Helpful information and scripts for your next
  audit

5
Solution Methods

• Single-shot command, i.e. find blah-blah exec
  (usually not recommended). If you use, keep a log
  of what you have done.
• Ad-hoc custom scripts
• Sun applications such as Solaris Security
  Toolkit, or individual Sun scripts from the
  toolkit (fixmodes, nddconfig, etc.)
• Third-party security applications YASSP, TITAN
  (4.0 for Solaris 9), etc.
• Cfengine configuration program.

6
1 37 Introduction

• Notes on how to execute directions refer to
  previous version of file (comcol05).
• Prints host name and domain name, etc.

7
38-48 list /etc/syslog.conf

• Presumably looking at configuration to see if the
  system is logging repeated login failures.
• The default Solaris 9 /etc/syslog.conf already
  does this in lines 12 and 13.errkern.noticea
  uth.notice /dev/sysmsg.errkern.debugdaemon.not
  icemail.crit /var/adm/messages

8
Default /etc/syslog.conf line 12.errkern.noti
ceauth.notice /dev/sysmsg

• The authorization system reports repeated login
  failures and password change failures at the crit
  level, so auth.notice would send messages about
  these to the console.

9
Default /etc/syslog.conf line 13.errkern.debu
gdaemon.noticemail.critÄ /var/adm/messages

• .err logs all facility messages of err or
  higher therefore the default configuration will
  log repeated login failures, which are at the
  crit level, to the messages fileMay 8
  104028 sun0 login REPEATED LOGIN ÄFAILURES ON
  /dev/pts/23 FROM 10.1.7.220

10
49 56 list patches showrev -p

• Because the script does not interrogate the
  system to determine which packages are installed,
  it is possible that the auditors will incorrectly
  conclude that your system is missing some
  required patches.
• Try providing the auditors with the recommended
  cluster log , Solaris_9_Recommended_Patch_Cluster_
  log in /var/sadm/install_data.

11
49 56 list patches continued

• The cluster log will indicate patches that
  cannot be applied because the package isnt on
  the system withOne or more patch packages
  included in - are not installed on this
  system.Patchadd is terminating.

12
71 86 List /etc/inetd.conf

• Checking to see if services with known
  vulnerabilities have been commented out.
• inetd.conf is the configuration file for the
  inetd daemon.
• inetd is the server process for some Internet
  standard services (but not all).
• Will start services only when requested and if
  they are listed in inetd.conf.
• This file will also effect the auditors port
  scan.

13
List /etc/inetd.conf continued

• Two types of services are listed in inetd.conf
• Standard socket-based services that use the
  well-known port numbers these match the service
  name listed in /etc/services.
• Non-standard services that use a service name
  instead of a well-known port, based on RFC 1078
  TCP Port Service Multiplexor (TCPMUX). In other
  words, RPC services.

14
List /etc/inetd.conf continued

• For example the inetd.conf entry shell stream
  tcp nowait root Ä/usr/sbin/in.rshd in.rshdin
  inetd.conf corresponds to the /etc/services
  entry shell 514/tcp
• A request on tcp port 514 will result in inetd
  running the remote shell in.rshd found in
  /usr/sbin as root.

15
List /etc/inetd.conf continued

• An RPC entry follows the service name with a /
  and version number, etc. For example the
  inetd.conf entry rquotad/1 tli
  rpc/datagram_vÄwait root /usr/lib/nfs/rquotad
  Ärquotad is the entry for UFS disk quotas for
  NFS clients.
• rpcbind listens in port 111, and handles a
  request for the service based on the services
  name.

16
Removing Services from inetd.conf

• Only run services that are required, based on
  appropriate risk assessment.
• Remove services by inserting comment symbol ()
  at beginning of the line that configures the
  service.
• Signal inetd daemon to use new configuration
  pkill -1 inetd

17
/etc/inetd.conf socket-based services that should
always be removed

• name (in.tnamed)
• shell (in.rshd)
• login (in.rlogind)
• exec (in.rexecd)
• comsat (in.comsat)
• talk (in.talkd)
• finger (in.fingerd)

• systat
• netstat
• time
• echo
• discard
• daytime
• chargen

18
/etc/inetd.conf rpc services that should always
be removed (1)

• 100232 (sadmind)
• rquotad
• rusersd
• sprayd
• walld
• rstatd

• rexd
• uucp ¹
• 100083 (ToolTalk DB)
• 100221 (kcms server ²)
• fs (Sun Font Server)
• 100235 (cachefsd)

• Recommend removing both uucp packages SUNWbnur
  and SUNWbnuu.
• Recommend removing all Kodak Color Management
  System packages SUNWkcspf, SUNWkcspg,
  SUNWkcsrl, SUNWkcsrr, and SUNWkcsrt.

19
/etc/inetd.conf rpc services that should always
be removed (2)

• 100134 (Kerberos warning message daemon)
• 100242 (Kerberos DB Propagation daemon)
• 100146 (smartcard amiserv)
• 100147 (smartcard amiserv)
• 100150 (smartcard OCF daemon)
• sun-dr (dynamic configuration server)
• 300326 (dynamic configuration server E10000)
• 100424 (Standard Type Services Framework (STSF)
  Font Server

20
/etc/inetd.conf Entries Requiring a Risk
Assessment

• ftp
• telnet
• tftp
• printer
• NetBackup related 100234 (gssd), bpcd, vnetd,
  bpjava-msvc
• Logical Volume Management 100229, 100230,
  100068, 100242, 100155, 100422.
• SunVTS 100153
• Removable Media Server 100155/1

21
/etc/inetd.conf ftp

• Vulnerability Unsecure clear-text transfer of
  authentication credentials and data.
• Risk Assessment Required for Datatel
  Communications Management if not using Secure UI.
• Other file transfers may be replaced with SunSSH
  scp or sftp programs.
• Note in audit script states that in.ftpd should
  have -l option for logging. Put this in to make
  auditors happy.

22
/etc/inetd.conf ftp continued

• Due to change in ftp daemon to wu-ftp in Solaris
  9, in order to actually log ftp connections
  /etc/default/inetd will need to have comment
  removed from the line with ENABLE_CONNECTION_LOGG
  INGYES
• Recommend these entries in /etc/ftpd/ftpaccessba
  nner /etc/ftpd/banner.msggreeting
  tersemessage /etc/ftpd/welcome.msg login
• Recommend /etc/ftpd/banner.msg have same legal
  warning message as /etc/issue and have no
  /etc/ftpd/welcome.msg file.

23
/etc/inetd.conf telnet

• Vulnerability Unsecure clear-text transfer of
  authentication credentials and data.
• Risk Assessment
• Required for Datatel client access if not using
  UI SSL.
• Datatel InstallShield requires regardless of UI
  setting.
• Recommend use of ssh for administrative logins.

24
/etc/inetd.conf tftp

• Vulnerability
• No authentication
• Unpredictable results when attempting to change
  home directory
• Runs as user nobody can read all publicly
  readable files and write to all publicly writable
  files
• Risk Assessment Leave enabled only if required
  to boot print servers or other diskless clients.

25
/etc/inetd.conf printer

• Vulnerability
• at one time there was a buffer overflow exploit
  in in.lpd.
• Runs as root vulnerable to spoofing as uses IP
  address for authentication.
• Risk Assessment The buffer overflow
  vulnerability was fixed in 2001. But this service
  is not required if system has EasySpooler
  installed recommend leaving enabled only if
  system does not have EasySpooler and needs to
  provide BSD printer services.

26
/etc/inetd.conf NetBackup Services

• NetBackup inserts these entries into inetd.conf
• 100234 (gssd Generic Security Service)
• bpcd
• ventd
• vopied
• bpjava-misc
• Risk Assessment Required if using NetBackup
  100234 is only required if backing up remote
  clients using NFS.

27
/etc/inetd.conf Logical Volume Management

• Solaris Volume Manager may insert the following
  entries
• 100229 (rpc.metad remote metaset services)
• 100230 (rpc.metamhd manage multi-hosted disks)
• 100242 (rpc.metamedd manages mediator
  information)
• 100442 (rpc.mdcommd Multi-node communication
  daemon)
• Risk Assessment Very little information provided
  by Sun. rpc.metad and rpc.metamhd were used for
  remote systems or by metatool, which is no longer
  in Solaris 9. Volume management seems to work
  without rpc.metamedd and rpc.mdcommd but Im
  still running as a precaution.

28
/etc/inetd.conf sunvts

• Vulnerability At one time there was a buffer
  overflow potential with older versions.
• Risk Assessment Sun Validation and Test Suite
  seems to require this inetd.conf entry for both
  local and remote. Depends on whether you want to
  run sunvts.

29
/etc/inetd.conf rpc.smserverd

• Vulnerability None that I can find, other than
  the usual RPC problems.
• Risk Assessment Handles requests from client
  applications to handle removable media (tape and
  cd media, not PCMCIA devices). Seems safe to use
  at this time.

30
87 93 List /etc/ftpusers

• In Solaris 9 Sun modified the in.ftpd daemon to
  one based on the Washington Univeristy FTP
  (wu-ftp) server.
• As a result, the use of /etc/ftpusers has been
  deprecated users who cannot login to the ftp
  server should be listed in /etc/ftpd/ftpusers.
• Therefore there probably may not be an
  /etc/ftpusers file that can be listed, so this
  may have to be pointed out to the auditors.

31
101 List /etc/init.d/inetinit

• inetinit is the startup script that handles
  TCP/IP configuration.
• Sets up default router, ipsec, etc.
• Reads /etc/default/inetinit for to set TCP ISS
  (Initial Sequence Number) generation see next
  slide.
• No need to modify this script. Use Suns
  nddconfig script to hard network stack you may
  want to show this to the auditors.

32
105 List /etc/default/inetinit

• Looking for the TCP_STRONG_ISS setting
• A TCP session is easily hijacked if initial
  session numbers are easily guessed (see CERT
  Advisory CA-2001-09 and RFC 1948).
• Be sure TCP_STRONG_ISS setting in
  /etc/default/inetinit isTCP_STRONG_ISS2

33
107 109 List /etc/notrouter

• System should not be running a routing protocol
  and forwarding packets.
• When machine boots, /etc/rc2.d/S69inet will setup
  machine for routing if there is no /etc/notrouter
  file.
• Make sure system has /etc/notrouter if not
  create by giving commandstouch
  /etc/notrouterchgrp other /etc/notrouterchmod
  400 /etc/notrouter

34
111 113 List /etc/defaultrouter

• Existence prevents system from running a routing
  protocol.
• Make sure system has /etc/defaultrouter
  specifying the hosts default router(s).

35
115 130 List /etc/hosts and /etc/hosts

• Lists /etc/hosts to help in reading other files?
• Looking for hosts.equiv files
• There are files for specifying trusted hosts and
  users for the r commands (rcp, rlogin, rsh,
  rcmd).
• Should not have these allow trusted users to
  access a system with supplying a password.
• If system is running tcp_wrappers, there may be
  hosts.allow or hosts.deny these are not a
  security problem.

36
131 137 List /etc/netgroups

• Looking for NIS netgroup file.
• Should not have remove if system has one.

37
138 148 List all rhosts files

• There are also files for specifying trusted hosts
  and users for the BSD r commands (rcp, rlogin,
  rsh, rcmd).
• Should not have these allow trusted users to
  access a system with supplying a password.
• Remove if system has them or be prepared to
  explain why they are on the system.

38
154 158 List /etc/motd and /etc/issue

• Should be legal warning and not reveal
  information about the system.
• See standard C3 Legal Warning Banners
• If nothing else, be sure that /etc/motd is not
  the default that reveals the Operating System and
  versionSun Microsystems, Inc. SunOS 5.9Ä
  Generic January 2003

39
159 192 List /etc passwd, shadow, and group

• Specifically looking for all accounts have
  passwords or are locked, odd user names and
  unique UIDs.
• Review /etc/passwd and /etc/shadow. Make sure
  users have password aging, inactivity days set,
  etc.
• The logins command is helpful
• logins d will display logins with duplicate uids
• logins p will display logins with no password

40
159 192 List /etc passwd, shadow, and group
continued

• The passwd command can be used to set password
  aging
• passwd x 90 jdoe
• The usermod command can be used to set the
  maximum number of days allowed between uses of a
  login ID before it is made invalid (auditors like
  180 days)
• usermod f 180 jdoe

41
193 211 List SUID and SGID Files Owned by Root

• Lists last 200 root SUID files found, and last
  200 root SGID files found.
• Use spreadsheet at website to make risk
  assessment (will update for Solaris 9) before
  removing SUID or SGID some files must have these
  bits set in order for the system to function.

42
212 267 Examines crontab access

• /etc/cron.d/cron.allow
• Usually should have only root, lp, and sys.
• If using cron to resize Datatel files, either add
  datatel user or run with su datatel c
  option.
• /etc/cron.d/at.allow Either do not have, or have
  root as only entry.
• /etc/cron.d/cron.deny and /etc/cron.d/at.deny
  Should not exist.

43
268 274 List Files Without a Legal Owner

• See standard C1 File Ownership Guidelines.
• Will put delete.user script on website to help.

44
275 285 List perms and contents of /var/adm/log

• Make sure to have /var/adm/loginlog
• touch /var/adm/loginlog
• chown rootsys /var/adm/loginlog
• chmod 600 /var/adm/loginlog
• Note that the script command will list every file
  in /var/adm ending in log.

45
286 295 List perms and contents of
/etc/default/login

• Make sure to uncomment line CONSOLE/dev/console
  to prevent remote root login.
• Most of the other entries can set elsewhere or
  are defaults.
• If you want to log every single failed login
  attempt, change SYSLOG_FAILED_LOGINS to 0 as well
  as RETRIES.

46
296 314 List perms and contents (last 100
lines) of /var/adm/sulog

• May have to explain some entries.

47
286 295 List perms and contents of
/etc/default/login

• May have to explain some entries.

286 295 List perms and contents of
/etc/default/login Check UMASK setting (007).
48
340 360 List perms and contents of all user
.profile files.

• The method used to list the file contents (cat
  /export/home//profile) will make it impossible
  for the auditor to know which contents belong to
  which file (unless every file has a comment
  header).

49
361 368 List perms and contents of a root
profile (/.profile).

• Solaris 9 doesnt have one as /etc/default/su
  handles some of a root .profiles functions.
• Some security folks prefer a separate root home
  directory and .profile Solaris has / as roots
  home directory. May have to explain to auditors.

50
369 379 List perms of /export/home directories.
Check for world-writable perms, shouldnt be any.
51
380 395 List cron log (last 100 lines)

• Script Determine if the sync utility is
  periodically executed to copy disk buffer to disk
  so that loss of data is kept at a minimum in the
  event of system failure. This can be verified by
  reviewing the contents of the table stored in the
  crontab file, which lists the programs executed
  periodically. These programs are executed by the
  cron utility as background processes. The system
  administrator typically maintains the
  \etc\crontab file.

52
380 395 List cron log continued

• It is not necessary to call sync in crontab
  because there is a Solaris fsflush daemon that
  automatically (and intelligently) handles this
  process the default setting runs the daemon
  every 30 seconds.
• If you need to show them any documentation, the
  Solaris Tunable Parameters Reference Manual
  (817-1759) starting on page 29 discusses the
  fsflush daemon and its settings for /etc/system.

53
396 403 List permissions of tape devices

• See standard C8 Backup Device Security.
• Method used will probably not give actual
  permissions nay want to usels lL /dev/rmtand
  give auditors results.

54
404 414 List world-writable directories

• Script The only world writable directories
  should be spool/public directories e.g. /tmp
  and should have the sticky bit set. Pay
  particular attention to any system owned
  directories that contains executables (sic)
• Check withfind / -type d perm -0002 Äexec ls
  ld \

55
415 423 List world-writable files

• Script Obtain a list of the world writable
  files and examine them for validity. Pay
  particular attention to any system owned
  executable or control file.
• Check withfind / -type f perm -0002 Äexec ls
  al \