COPS security audit and the unix pc.

Wed Mar 27 15:34:19 AEST 1991

Warning: I can be a bit paranoid about security stuff.

|> Warning!  Root does not own the following file(s):
|> found found found /bin
|
|Is this of any consequence?

Not really.

|> Warning!  /usr/spool/uucp is _World_ writable!
|
|This one has to be ignored; as I said above certain programs might not be
|able to access locks if this is changed.

Or make them setuid or setgid, and fix any security holes THAT might
open. :-(  Sticky directories would be useful here.

|> Warning!  /etc/drvtab is _World_ writable!
|> Warning!  /etc/inittab is _World_ writable!
|> Warning!  /etc/wtmp is _World_ writable!
|
|Does anybody know if this has to be so? (particularly for /etc/wtmp).

/etc/inittab should NOT be world writable!  And /etc/wtmp does not
need to be world writable.  If it is, a cracker who gets on can hide
the fact that he/she was on.  But if you change it remember to change
whatever you have cleaning it up or you're likely to end up with it
0666 again.

|> Warning!  /usr/adm/NBS.log is _World_ writable!
|> Warning!  /usr/adm/UNIX.log is _World_ writable!
|> Warning!  /usr/adm/cronlog is _World_ writable!
|> Warning!  /usr/adm/drv.log is _World_ writable!
|> Warning!  /usr/adm/sulog is _World_ writable!
|> Warning!  /usr/adm/unix.log is _World_ writable!
|
|Log files... the security risk coming from here is, even in the worst case,
|minimal.

Not really.  A world writable sulog would let someone who su-ed to
some other account to hide the fact, or allow anyone to hide any su
attempts (now if they could get to root the point is moot).  I run a
script that checks sulog to see who's trying to su where.  Cronlog lets
you empirically determine what cron is doing (see below).  Other log
files can be thought of as giving unnecessary clues about the
operation of your system to the cracker, and can allow the cracker to
remove or falsify whatever was being logged.

As above, if you change the modes, don't forget to change things that
may clean up these files.

|> Warning!  /usr/lib/crontab is _World_ readable!
|> Warning!  /usr/adm/sulog is _World_ readable!
|
|Should anybody care about these two?  COPS output is looking more and more
|like lint...

Lint warnings should only be ignored with great care, but I digress.

Letting people see what cron is doing (especially for privileged
users) gives clues about where to plant trojan horses, and when to
attempt to ``break'' programs running as privileged users, by removing
temp files, filling the disk, etc.

Letting people see who can su to whom tells you who's account to break
to increase your chances of getting to whoever they can su to.

|> Warning! /usr/lbin/uudecode creates setuid files!
|
|This, according to the documentation, is pretty common, but without
|re-inforcing other problems, seems to be ok.

This could be problem for inattentive users or if you have a uudecode
alias that runs as root (which I highly recommend AGAINST).

|Comments anyone?  Most of these "problems" (corrected and remaining)
|originated with the standard installation of the standard unix pc
|software, so it's likely you also have them.  Whether they can be safely
|ignored is up to you...

Some of the writable directory ones are terrifying, most notably /.

On the 3B1, the UA introduces a few horrors of its own, most notably
/usr/lib/ua/uasetx, and smgr's mail icon.  See ua(4) for EXEC action
with the option ``-p Run the process with superuser privileges''.
Also, any user can reconfigure your site name, your L.sys file, your
lp setup...

Out of the box, the security on this machine (like many Unix boxes) is
terrible.