Re: Solaris Security Script

From: Harry Hoffman (hhoffman_at_ip-solutions.net)
Date: 12/10/04

  • Next message: Christoph Kaegi: "Re: Solaris Security Script"
    Date: Fri, 10 Dec 2004 13:48:28 -0500
    To: xyberpix <xyberpix@xyberpix.com>
    
    

    check out JASS on the sun.com site and also Titan and Bastille Linux
    (also works on sun)

    xyberpix wrote:
    > Hi All,
    >
    > I'm working on a rather large Solaris security script, could you please
    > all post your idea's in here or mail me directly for things that you would
    > recommend checking for. I will be releasing the script undel the GPL when
    > it's finished, at the moment it is only in a development stage, but works,
    > and is a right mess. At this point in time I am mainly concerned about
    > functionality, I will do a lot of tidying up later on.
    > So far here's what it's doing, checking for:
    >
    > - Does a complete filesystem search in all files for the word "password",
    > as a load of developers tend to leave passwords lying around in scripts,
    > etc. The output here is a mess, but as I said I will be tidying it up.
    >
    > - Check what files users have in their home directories, and what the
    > permissions on these files are.
    >
    > - Check for the presence of SUID files
    >
    > - Get network information, IP's routes, netstat -a output.
    >
    > - Copy important configuration files to have a look at, inetd.conf,
    > sshd2_conf, services, passwd
    >
    > - Checks what services are set to run automatically
    >
    > - Search for symbolic links
    >
    > - Check for known development tools, gcc, cc, jave, perl, etc
    >
    > - Check mount points, and what options they are mounted with
    >
    > - Check ftpusers file to make sure root is not allowed to ftp
    >
    > - Check various files executable permissions, snoop, sshd2, rlogin, rwho, etc
    >
    > - Check certain accounts for the presence of a shell, lp, nobody, sys,
    > adm, etc
    >
    > - Check for programs that shouldn't be on a production box, nmap, tcpdump,
    > nc, etc
    >
    > That's all I have for now, but any ideas would be really welcome. The idea
    > is to run this script as root, so that as much information as possible can
    > be obtained, so that it takes the grunt work out of checking a solaris
    > box, and so that we can concentrate on more important things.
    > As soon as the script gets to a decent level I will post links to it, so
    > whoever wants it can grab it. If I get enough responses I may open up an
    > area on sourceforge for it as well, and get a couple more people working
    > on if anyone is willing.
    >
    > xyberpix
    >
    >


  • Next message: Christoph Kaegi: "Re: Solaris Security Script"

    Relevant Pages

    • Re: __FILE__ vs. $_SERVER[DOCUMENT_ROOT] ?
      ... If your host is using any symbolic links, ... what's causing the discrepency. ... a constant for the script root. ...
      (comp.lang.php)
    • Solaris Security Script
      ... I'm working on a rather large Solaris security script, ... - Search for symbolic links ... is to run this script as root, so that as much information as possible can ...
      (Focus-SUN)
    • IBM Informix Web DataBlade: Local root by design
      ... IBM Informix Web DataBlade: Local root by design ... Impact: Any user who can: 1) Save a Perl script anywhere on the server's ... admin right on any database can do it by loading the WDB module into ...
      (Bugtraq)
    • RE: Linux hacked
      ... I would also suggest using a simple script in the future that alerts ... Subject: Linux hacked ... To get back into your account you want to use, at the boot manager ... boot normally and you should be able to login as root with your new ...
      (Security-Basics)
    • Re: BSDstats v3.0 - The Security Rewrite
      ... The bsdstats script could easily pick up that entry and set ... a management machine, and that management machine only has ... Email is sent to root containing IDTOKEN= as generated by host, root forwards that to rpt@xxxxxxxxxxxx, rpt@xxxxxxxxxxxx sends back KEY= value ... second time, submits report values to root, root forwards that to rpt@xxxxxxxxxxxx ... ...
      (freebsd-questions)