3.10 Power Tools
3.10.1 Description
Some of the best security tools for UNIX administrators are on
the Internet, not from a vendor. They are developed by administrators for administrators.
Most of the power tools started out as an idea and were written because nothing
else was out there that could do the job. Some famous UNIX administrators like
to say Why reinvent the wheel if someone else has already made it round?
These
power tools are typically introduced at a couple of the UNIX system administration
conferences, such as LISA (Large Installation of Systems Administrators), SANS
(System Administration & Network Security), or one of the other USENIX conferences.
They are brought into the technical sessions and most of the creators of these
power tools listen to the needs of other administrators and attempt to adapt
them into upcoming releases. The new tools are usually found in the CERT/CC
security tools archive. The basic power tools of the trade are a necessity and
include COPS, Crack, SATAN, TCP wrappers, tripwire, and kerberos.
The
Computer Oracle and Password System (COPS) is a set of scripts and programs
that monitors UNIX system security. If a problem is discovered, the administrator
receives an email notification. COPS makes no attempt to fix any of the problems
that it discovers. It assumes that you should have the most secure system possible,
and the report is usually substantially long. In this case, more is always good.
COPS tracks and monitors the following:
- User home directories that have write access
- The permissions and contents of the password and group files
- The modes and permissions for files, directories, and devices
- The crontab entries and all system startup files
Crack is a password guessing program that is designed to
quickly find passwords that exist within the password file using several common
techniques. It does not support shadow password files and assumes that the second
field has an encrypted string. It moves throughout the password file looking
for users who have chosen weak passwords. Crack can find passwords in a manner
of minutes. The results of the passwords that have been cracked are stored in
a plain text file. If left running for long periods, Crack can surprise you
and your boss when you have his password.
The
Security Analysis Tool for Auditing Networks (SATAN) gathers as much
information about remote hosts and networks as possible by examining such network
devices as finger, NFS, NIS, FTP, tftp, rexd, and other services as well. It
searches for incorrectly configured devices, bugs in network utilities, and
poor or ignorant policy decisions that might have been made by a company. All
the data can be examined and queried, and reports can be generated and analyzed
via a Web-based browser.
TCP wrappers
is a set of TCP daemons that control access to TCP connection services,
such as telnet, rlogin, and finger. Access can be controlled to allow or deny
one host to an entire network of hosts' addresses. Configuration has been
made as easy as swapping out the daemon within the /etc/inetd.conf file and
restarting inetd and telling it who is allowed and who is denied access into
the machine. There is also additional information on the incoming hosts that
gets logged.
tripwire
collects permission and checksum information on key system file areas that you
can define. It detects if files have been replaced or tampered with or if some
type of change in permissions has taken place. An email of its findings is sent
to the administrator. Depending on the amount of files being monitored, tripwire
can be pretty disk I/O intensive, if continuously run throughout the day. Running
it is a very good idea, even if it is once or twice a day.
kerberos
uses DES encryption to authenticate users and services to prove that they are
in fact who they claim to be. It passes tickets throughout a network to certify
the identity of a user and provide access to all network services. It provides
the security of passwords without requiring that someone types a password every
few minutes.
Other Resources
World Wide Web:
COPS, Crack, TCP Wrapper, Tripwire-- ftp://ftp.cert.org/pub/tools
SATAN--http://www.trouble.org/satan
© Copyright Macmillan USA. All rights
reserved.
Previous
Section