Unix System

Administration
IT Audit Preparation

2006-08-21
Presentation Conventions
 Names (files, users, daemons) are usually in bold:
/etc/syslog.conf
 System dependent or variable items are usually in italics:
/var/sadm/patch/patchnumber/log
 File entries and output are in mono-spaced type:
> root 8036 c Tue Apr 26 23:59:00 2005
< root
8036 c Tue Apr 26 23:59:59 2005
  marks a line wrapped to fit on the slide:
mv Solaris_9_Recommended_Patch_Cluster_log
Solaris_9_Recommended_Patch_Cluster_log.yyyymmdd
  marks a horizontal tab (09 hex)
 Reference OE is Solaris 9
Introduction
 Suggestions for preparing your system prior to
running script from auditor’s office and before
auditor’s port scan.
 Based on script supplied by schools most
recently audited; script name is comcol06.
 Primary focus is on audit, not on making your
system more secure.
Introduction continued
 Comments within the script help with what the
auditors are looking for, but sometimes may
have to guess.
 References to ‘website’ refer to IIPS page
http://nciips.cc.nc.us/Standards.html section
“Helpful information and scripts for your
next audit”
Solution Methods
 Single-shot command, i.e. find blah-blah
–exec (usually not recommended). If you use,
keep a log of what you have done.
 Ad-hoc custom scripts
 Sun applications such as Solaris® Security
Toolkit, or individual Sun scripts from the toolkit
(fixmodes, nddconfig, etc.)
 Third-party security applications: YASSP, TITAN
(4.0 for Solaris 9), etc.
 Cfengine configuration program.
1 – 37 Introduction
 Notes on how to execute; directions
refer to previous version of file
(comcol05).
 Prints host name and domain name,
etc.
38-48 list /etc/syslog.conf
 Presumably looking at configuration to see if the
system is logging repeated login failures.

 The default Solaris 9 /etc/syslog.conf already

does this in lines 12 and 13:

*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit
/var/adm/messages
Default /etc/syslog.conf line 12:
*.err;kern.notice;auth.notice /dev/sysmsg

The authorization system reports repeated login

failures and password change failures at the crit
level, so auth.notice would send messages
about these to the console.
Default /etc/syslog.conf line 13:
*.err;kern.debug;daemon.notice;mail.crit
 /var/adm/messages

*.err logs all facility messages of err or higher;

therefore the default configuration will log
repeated login failures, which are at the crit
level, to the messages file:

May 8 10:40:28 sun0 login: REPEATED LOGIN

FAILURES ON /dev/pts/23 FROM 10.1.7.220
49 – 56 list patches: showrev -p

 Because the script does not interrogate the system to

determine which packages are installed, it is possible
that the auditors will incorrectly conclude that your
system is missing some required patches.

 Try providing the auditors with the recommended cluster

log , Solaris_9_Recommended_Patch_Cluster_log in
/var/sadm/install_data.
49 – 56 list patches continued

The cluster log will indicate patches that cannot

be applied because the package isn’t on the
system with:

One or more patch packages included

in ######-## are not installed on
this system.

Patchadd is terminating.
71 – 86 List /etc/inetd.conf
 Checking to see if services with known
vulnerabilities have been commented out.
 inetd.conf is the configuration file for the inetd
daemon.
 inetd is the server process for some Internet
standard services (but not all).
 Will start services only when requested and if
they are listed in inetd.conf.
 This file will also effect the auditor’s port scan.
List /etc/inetd.conf continued
 Two types of services are listed in inetd.conf:
 Standard socket-based services that use the
well-known port numbers; these match the
service name listed in /etc/services.
 Non-standard services that use a service
name instead of a well-known port, based on
RFC 1078 TCP Port Service Multiplexor
(TCPMUX). In other words, RPC services.
List /etc/inetd.conf continued
 For example the inetd.conf entry
shell stream tcp nowait root
/usr/sbin/in.rshd in.rshd
in inetd.conf corresponds to the
/etc/services entry:
shell 514/tcp
 A request on tcp port 514 will result in
inetd running the remote shell in.rshd
found in /usr/sbin as root.
List /etc/inetd.conf continued
 An RPC entry follows the service name
with a ‘/’ and version number, etc. For
example the inetd.conf entry
rquotad/1 tli rpc/datagram_v
wait root /usr/lib/nfs/rquotad
rquotad
is the entry for UFS disk quotas for NFS
clients.
 rpcbind listens in port 111, and handles a
request for the service based on the
services name.
Removing Services from inetd.conf

 Only run services that are required, based on

appropriate risk assessment.
 Remove services by inserting comment symbol
(#) at beginning of the line that configures the
service.
 Signal inetd daemon to use new configuration:
pkill -1 inetd
/etc/inetd.conf socket-based services
that should always be removed
 name (in.tnamed)  systat
 shell (in.rshd)  netstat
 login (in.rlogind)  time
 exec (in.rexecd)  echo
 comsat (in.comsat)  discard
 talk (in.talkd)  daytime
 finger (in.fingerd)  chargen
/etc/inetd.conf rpc services that should
always be removed (1)
 100232 (sadmind)  rexd
 rquotad  uucp ¹
 rusersd  100083 (ToolTalk DB)
 sprayd  100221 (kcms server ²)
 walld  fs (Sun Font Server)
 rstatd  100235 (cachefsd)
1. Recommend removing both uucp packages: SUNWbnur and SUNWbnuu.
2. Recommend removing all Kodak Color Management System packages:
SUNWkcspf, SUNWkcspg, SUNWkcsrl, SUNWkcsrr, and SUNWkcsrt.
/etc/inetd.conf rpc services that should
always be removed (2)
 100134 (Kerberos warning message daemon)
 100242 (Kerberos DB Propagation daemon)
 100146 (smartcard: amiserv)
 100147 (smartcard: amiserv)
 100150 (smartcard: OCF daemon)
 sun-dr (dynamic configuration server)
 300326 (dynamic configuration server E10000)
 100424 (Standard Type Services Framework
(STSF) Font Server
/etc/inetd.conf Entries Requiring a
Risk Assessment
 ftp
 telnet
 tftp
 printer
 NetBackup related: 100234 (gssd), bpcd, vnetd, bpjava-
msvc
 Logical Volume Management: 100229, 100230, 100068,
100242, 100155, & 100422.
 SunVTS: 100153
 Removable Media Server: 100155/1
/etc/inetd.conf: ftp
 Vulnerability: Unsecure; clear-text transfer of
authentication credentials and data.
 Risk Assessment: Required for Datatel
Communications Management if not using
Secure UI.
 Other file transfers may be replaced with
SunSSH scp or sftp programs.
 Note in audit script states that in.ftpd should
have ‘-l’ option for logging. Put this in to make
auditors happy.
/etc/inetd.conf: ftp continued
 Due to change in ftp daemon to wu-ftp in Solaris 9, in
order to actually log ftp connections /etc/default/inetd
will need to have comment removed from the line with
ENABLE_CONNECTION_LOGGING=YES

 Recommend these entries in /etc/ftpd/ftpaccess:

banner /etc/ftpd/banner.msg
greeting terse
message /etc/ftpd/welcome.msg login

 Recommend /etc/ftpd/banner.msg have same legal

warning message as /etc/issue and have no
/etc/ftpd/welcome.msg file.
/etc/inetd.conf: telnet
 Vulnerability: Unsecure; clear-text transfer of
authentication credentials and data.
 Risk Assessment
 Required for Datatel client access if not using
UI SSL.
 Datatel InstallShield requires regardless of UI
setting.
 Recommend use of ssh for administrative
logins.
/etc/inetd.conf: tftp
 Vulnerability
 No authentication
 Unpredictable results when attempting to change
home directory
 Runs as user nobody; can read all publicly readable
files and write to all publicly writable files
 Risk Assessment: Leave enabled only if
required to boot print servers or other diskless
clients.
/etc/inetd.conf: printer
 Vulnerability:
 at one time there was a buffer overflow exploit
in in.lpd.
 Runs as root; vulnerable to spoofing as uses
IP address for authentication.
 Risk Assessment: The buffer overflow
vulnerability was fixed in 2001. But this service is
not required if system has EasySpooler installed;
recommend leaving enabled only if system does
not have EasySpooler and needs to provide
BSD printer services.
/etc/inetd.conf: NetBackup
Services
 NetBackup inserts these entries into
inetd.conf:
 100234 (gssd; Generic Security Service)
 bpcd
 ventd
 vopied
 bpjava-misc
 Risk Assessment: Required if using
NetBackup; 100234 is only required if backing
up remote clients using NFS.
/etc/inetd.conf: Logical Volume
Management
 Solaris Volume Manager may insert the following
entries:
 100229 (rpc.metad: remote metaset services)
 100230 (rpc.metamhd: manage multi-hosted disks)
 100242 (rpc.metamedd: manages mediator information)
 100442 (rpc.mdcommd: Multi-node communication daemon)
 Risk Assessment: Very little information provided by
Sun. rpc.metad and rpc.metamhd were used for
remote systems or by metatool, which is no longer in
Solaris 9. Volume management seems to work without
rpc.metamedd and rpc.mdcommd; but I’m still running
as a precaution.
/etc/inetd.conf: sunvts
 Vulnerability: At one time there was a
buffer overflow potential with older
versions.
 Risk Assessment: Sun Validation and
Test Suite seems to require this
inetd.conf entry for both local and remote.
Depends on whether you want to run
sunvts.
/etc/inetd.conf: rpc.smserverd
 Vulnerability: None that I can find, other
than the usual RPC problems.
 Risk Assessment: Handles requests from
client applications to handle removable
media (tape and cd media, not PCMCIA
devices). Seems safe to use at this time.
87 – 93 List /etc/ftpusers
 In Solaris 9 Sun modified the in.ftpd daemon to
one based on the Washington Univeristy FTP
(wu-ftp) server.
 As a result, the use of /etc/ftpusers has been
deprecated; users who cannot login to the ftp
server should be listed in /etc/ftpd/ftpusers.
 Therefore there probably may not be an
/etc/ftpusers file that can be listed, so this may
have to be pointed out to the auditors.
101 List /etc/init.d/inetinit
 inetinit is the startup script that handles TCP/IP
configuration.
 Sets up default router, ipsec, etc.
 Reads /etc/default/inetinit for to set TCP ISS
(Initial Sequence Number) generation; see next
slide.
 No need to modify this script. Use Sun’s
nddconfig script to hard network stack; you may
want to show this to the auditors.
105 List /etc/default/inetinit

 Looking for the TCP_STRONG_ISS setting

 A TCP session is easily hijacked if initial session
numbers are easily guessed (see CERT
Advisory CA-2001-09 and RFC 1948).
 Be sure TCP_STRONG_ISS setting in
/etc/default/inetinit is:
TCP_STRONG_ISS=2
107 – 109 List /etc/notrouter

 System should not be running a routing protocol

and forwarding packets.
 When machine boots, /etc/rc2.d/S69inet will
setup machine for routing if there is no
/etc/notrouter file.
 Make sure system has /etc/notrouter; if not
create by giving commands:
touch /etc/notrouter
chgrp other /etc/notrouter
chmod 400 /etc/notrouter
111 – 113 List /etc/defaultrouter

 Existence prevents system from running a

routing protocol.
 Make sure system has /etc/defaultrouter
specifying the host’s default router(s).
115 – 130 List /etc/hosts and /etc/hosts*
 Lists /etc/hosts to help in reading other
files?
 Looking for hosts.equiv files:
 There are files for specifying trusted hosts
and users for the “r” commands (rcp, rlogin,
rsh, rcmd).
 Should not have: these allow trusted users to
access a system with supplying a password.
 If system is running tcp_wrappers, there
may be hosts.allow or hosts.deny; these
are not a security problem.
131 – 137 List /etc/netgroups

 Looking for NIS netgroup file.

 Should not have; remove if system has one.
138 – 148 List all rhosts files

 There are also files for specifying trusted hosts

and users for the BSD “r” commands (rcp,
rlogin, rsh, rcmd).
 Should not have: these allow trusted users to
access a system with supplying a password.
 Remove if system has them or be prepared to
explain why they are on the system.
154 – 158 List /etc/motd and /etc/issue
 Should be legal warning and not reveal
information about the system.
 See standard C3 Legal Warning Banners
 If nothing else, be sure that /etc/motd is not the
default that reveals the Operating System and
version:
Sun Microsystems, Inc. SunOS 5.9
Generic January 2003
159 – 192 List /etc passwd, shadow, and
group

 Specifically looking for all accounts have

passwords or are locked, odd user names and
unique UIDs.
 Review /etc/passwd and /etc/shadow. Make
sure users have password aging, inactivity days
set, etc.
 The logins command is helpful:
logins –d will display logins with duplicate uids
logins –p will display logins with no password
159 – 192 List /etc passwd, shadow, and
group continued

 The passwd command can be used to set

password aging:
passwd –x 90 jdoe
 The usermod command can be used to set the
maximum number of days allowed between uses
of a login ID before it is made invalid (auditors
like 180 days):
usermod –f 180 jdoe
193 – 211 List SUID and SGID
Files Owned by Root
 Lists last 200 root SUID files found, and
last 200 root SGID files found.
 Use spreadsheet at website to make risk
assessment (will update for Solaris 9)
before removing SUID or SGID; some files
must have these bits set in order for the
system to function.
212 – 267 Examines crontab access

 /etc/cron.d/cron.allow:
 Usually should have only root, lp, and sys.
 If using cron to resize Datatel files, either add datatel
user or run with “su – datatel –c” option.
 /etc/cron.d/at.allow: Either do not have, or have
root as only entry.
 /etc/cron.d/cron.deny and /etc/cron.d/at.deny:
Should not exist.
268 – 274 List Files Without a
Legal Owner
 See standard C1 File Ownership
Guidelines.
 Will put delete.user script on website to
help.
275 – 285 List perms and contents
of /var/adm/*log
 Make sure to have /var/adm/loginlog:
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
 Note that the script command will list every
file in /var/adm ending in ‘log.’
286 – 295 List perms and contents
of /etc/default/login
 Make sure to uncomment line
‘CONSOLE=/dev/console’ to prevent remote
root login.
 Most of the other entries can set elsewhere or
are defaults.
 If you want to log every single failed login
attempt, change SYSLOG_FAILED_LOGINS to 0
as well as RETRIES.
296 – 314 List perms and contents
(last 100 lines) of /var/adm/sulog

 May have to explain some entries.

286 – 295 List perms and contents
of /etc/default/login
May have to explain some entries.

286 – 295 List perms and contents

of /etc/default/login
Check UMASK setting (007).
340 – 360 List perms and contents
of all user .profile files.
The method used to list the file contents
(cat /export/home/*/*profile) will
make it impossible for the auditor to know
which contents belong to which file (unless
every file has a comment header).
361 – 368 List perms and contents of a
root profile (/.profile).
 Solaris 9 doesn’t have one as
/etc/default/su handles some of a root
.profile’s functions.
 Some security folks prefer a separate root
home directory and .profile; Solaris has /
as root’s home directory. May have to
explain to auditors.
369 – 379 List perms of
/export/home directories.

Check for world-writable perms, shouldn’t be

any.
380 – 395 List cron log (last 100
lines)
Script: “Determine if the sync utility is periodically
executed to copy disk buffer to disk so that loss
of data is kept at a minimum in the event of
system failure. This can be verified by reviewing
the contents of the table stored in the crontab
file, which lists the programs executed
periodically. These programs are executed by
the cron utility as background processes. The
system administrator typically maintains the
\etc\crontab file.”
380 – 395 List cron log continued
 It is not necessary to call sync in crontab
because there is a Solaris fsflush daemon
that automatically (and intelligently)
handles this process; the default setting
runs the daemon every 30 seconds.
 If you need to show them any
documentation, the Solaris Tunable
Parameters Reference Manual (817-1759)
starting on page 29 discusses the fsflush
daemon and its settings for /etc/system.
396 – 403 List permissions of tape
devices
 See standard C8 Backup Device Security.
 Method used will probably not give actual
permissions; nay want to use:
ls –lL /dev/rmt
and give auditors results.
404 – 414 List world-writable directories

 Script: “The only world writable directories

should be spool/public directories e.g. ‘/tmp’ and
should have the sticky bit set. Pay particular
attention to any system owned directories that
contains executables (sic)”
 Check with:
find / -type d –perm -0002
–exec ls –ld {} \;
415 – 423 List world-writable files

 Script: “Obtain a list of the world writable

files and examine them for validity. Pay
particular attention to any system owned
executable or control file.”
 Check with:
find / -type f –perm -0002
–exec ls –al {} \;