[NBLUG/talk] Security guides..

Micxz an_email at micxz.com
Sat Oct 11 14:19:01 PDT 2003


augie wrote:
> Steve Johnson wrote:
> [snip]
> 
>>What are some good steps for auditing a system?  If you were to be
>>hired to check out someones linux (or even bsd) box, what would be
>>some of the things you would check first?
> 
> 
> just off the top of my head i'd say:
> 
> check the logs for anything suspicious.
> 
> check the timestamp on important files or binaries.
> 
> check the process utilization (ps) to see if there is anything there
> that probably shouldn't be, or that is running at an abnormally high level.
> 
> if you've got backups of important binaries or scripts you can compare
> them to your existing files to see if they have changed. (assuming your
> backups are of a clean system). i've heard of some people makeing md5
> message digests of their binaries with md5sum, and storing those digests
> off site, so that they can be compared if you think the system has been
> compromised.
> 
> augie.


I've got a small check list:

- Check /tmp very good.

find / -perm +6000 -type f -exec ls -ld {} \; > setuid.txt
(Check for files with setuid or setgid bit set)

You will stuff like cron and at etc. You may want to disable 'at' up to 
you. Check through the setuid.txt and change/move the used files. And 
maybe get ride of the r* commands (eg. rcp rlogin rsh) from before ssh.

- Compare the running process table with the /proc/* directory. Just 
incase your ps has been compromised.

ls -d /proc/* | grep [0-9] | wc -l; ps ax | wc -l;

- If your cleaning up after a user that you deleted from the system, you 
may want to:

visudo
(make sure user can sudo to any progams)

passwd -l user
(lock users password)

chsh -s /bin/true user
(this will change the users shell so they simply get dropped. NOTE: the 
user may still connect with RSA/DSA key auth, the user could forward 
ports like so: ssh -f -N -L8000:my.intranet.com:80 yourserver.com this 
will be allowed because the user is not using a passwd)

rm ~/user/.ssh/authorized_keys*
(so user can't use keys or do the above)

Or Simply mv ~/user ~/user-old or delete the user completely.

Hope this helps any' (Can you guys tell what book I'm reading lately?)

-- 
Micxz

-- 
Micxz




More information about the talk mailing list