Re: Solaris Security Script

From: Jason A Horn (Jason_A_Horn_at_raytheon.com)
Date: 12/13/04


To: "xyberpix" <xyberpix@xyberpix.com>
Date: Mon, 13 Dec 2004 08:02:54 -0500


Another suggestion, to make sure you don't do unnecessary work...check out
tne Center for Internet Security (www.cisecurity.org). They have a
hardening benchmark document for Solaris (another for Linux). If you
download the benchmark document, you can also download a validation script
that checks some of the same things that you have mentioned in your email
(SUID, world writable, inspects inet.d).

May be worth a quick look to see what it does, and what you can complement
it with.

Jason Horn
Raytheon

|---------+--------------------------->
| | "xyberpix" |
| | <xyberpix@xyberp|
| | ix.com> |
| | |
| | 12/10/2004 05:37|
| | AM |
|---------+--------------------------->
>-------------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: focus-sun@securityfocus.com |
  | cc: |
  | Subject: Solaris Security Script |
>-------------------------------------------------------------------------------------------------------------------------------|

Hi All,

I'm working on a rather large Solaris security script, could you please
all post your idea's in here or mail me directly for things that you would
recommend checking for. I will be releasing the script undel the GPL when
it's finished, at the moment it is only in a development stage, but works,
and is a right mess. At this point in time I am mainly concerned about
functionality, I will do a lot of tidying up later on.
So far here's what it's doing, checking for:

- Does a complete filesystem search in all files for the word "password",
as a load of developers tend to leave passwords lying around in scripts,
etc. The output here is a mess, but as I said I will be tidying it up.

- Check what files users have in their home directories, and what the
permissions on these files are.

- Check for the presence of SUID files

- Get network information, IP's routes, netstat -a output.

- Copy important configuration files to have a look at, inetd.conf,
sshd2_conf, services, passwd

- Checks what services are set to run automatically

- Search for symbolic links

- Check for known development tools, gcc, cc, jave, perl, etc

- Check mount points, and what options they are mounted with

- Check ftpusers file to make sure root is not allowed to ftp

- Check various files executable permissions, snoop, sshd2, rlogin, rwho,
etc

- Check certain accounts for the presence of a shell, lp, nobody, sys,
adm, etc

- Check for programs that shouldn't be on a production box, nmap, tcpdump,
nc, etc

That's all I have for now, but any ideas would be really welcome. The idea
is to run this script as root, so that as much information as possible can
be obtained, so that it takes the grunt work out of checking a solaris
box, and so that we can concentrate on more important things.
As soon as the script gets to a decent level I will post links to it, so
whoever wants it can grab it. If I get enough responses I may open up an
area on sourceforge for it as well, and get a couple more people working
on if anyone is willing.

xyberpix