COPS security audit and the unix pc.

[DoN Nichols]

In article <1991Mar23.004007.2024 at shibaya.lonestar.org> afc at shibaya.lonestar.org (Augustine Cano) writes:
>When I first ran the COPS security package on my 3b1, I got a report more
>than 250 lines long.  Most of the entries were about files and directories
>being world-writable.  Surprisingly, the following few commands eliminated
>the vast majority.

	You'll also have problems with newer programs which are suid or
sgid.  As they pass the age of six months, the format of the 'ls -l' output
will change.  This will be reported as new suid files, and files no longer
being suid.  (If you have the newest COPS, this may no longer be the case.
I don't have it yet, and don't know whether it is dependant upon the format
of the 'ls -l' command.  By the way, the command for directory listing
buried in COPS is tailored to the BSD world.  It uses 'ls -lg' to INCLUDE
group ownership in the report.  On our ls, this TURNS OFF the group
ownership part of the report.  I would reccomend running coffdates(1) on all
the bin directories, to set the date shown in the 'ls -l' to the compilation
date, to make sure that the older ones won't change format on you six months
after installation.

>
>One directory that CANNOT be treated in this manner is /usr/spool/uucp.
>I tried it and kermit couldn't then set or clear locks.

	Well, you COULD make kermit sgid to mail :-)

>The COPS security report is now down to the following:
>(actual COPS output follows '>', my comments follow each (group of) entry(ies))
>

	[ ... ]

>> Warning!  /etc/drvtab is _World_ writable!
>> Warning!  /etc/inittab is _World_ writable!
>> Warning!  /etc/wtmp is _World_ writable!
>
>Does anybody know if this has to be so? (particularly for /etc/wtmp).

	I don't THINK so.

>> Warning!  /usr/adm/NBS.log is _World_ writable!
>> Warning!  /usr/adm/UNIX.log is _World_ writable!
>> Warning!  /usr/adm/cronlog is _World_ writable!
>> Warning!  /usr/adm/drv.log is _World_ writable!
>> Warning!  /usr/adm/sulog is _World_ writable!
>> Warning!  /usr/adm/unix.log is _World_ writable!
>
>Log files... the security risk coming from here is, even in the worst case,
>minimal.

	Well, it allows one to cover his tracks when attempting a breakin,
if he has any kind of account on the system.

>> Warning!  /usr/lib/crontab is _World_ readable!
>> Warning!  /usr/adm/sulog is _World_ readable!
>
>Should anybody care about these two?  COPS output is looking more and more
>like lint...

	/usr/lib/crontab IS a risk, since it allows an intruder to see
easily which programs/shell-scripts are being run from cron, and as whom.
This helps identify good targets for trojan-horse attacks.  Find out what is
being run with privilege, see whether you can modify/substitute one of those
to do YOUR sinister work.

>> Warning!  File /dev/console (in /etc/rc*) is _World_ writable!
>> Warning!  File /dev/window (in /etc/rc*) is _World_ writable!
>> Warning!  File /usr/lib/ua/.blanktime (in /etc/rc*) is _World_ writable!

	No need to keep .blanktime writable.  Set it once as install, then
set it to 444.  That way, nobody is going to change it on you.

	[ ... ]

>> Warning! /usr/lbin/uudecode creates setuid files!
>
>This, according to the documentation, is pretty common, but without
>re-inforcing other problems, seems to be ok.

	Depends on what you allow for remote execution.  If you are running
HDB and have the permissable executable list properly limited, you are
probably reasonably safe.

>Comments anyone?  Most of these "problems" (corrected and remaining)
>originated with the standard installation of the standard unix pc
>software, so it's likely you also have them.  Whether they can be safely
>ignored is up to you...

	Most systems, as they are shipped, are criminally lax.

>Stay tuned for coming attractions:  AT&T external monitor for the unix pc?

	I'm waiting.

	Safe Computing
		DoN.
-- 
Donald Nichols (DoN.)		| Voice (Days):	(703) 664-1585
D&D Data			| Voice (Eves):	(703) 938-4564
Disclaimer: from here - None	| Email:     <dnichols at ceilidh.beartrack.com>
	--- Black Holes are where God is dividing by zero ---