PLS@cup.portal.com (Paul L Schauble) (03/20/91)
I have a vague recollection of a program posted to comp.sources a while
back that would scan a filesystem and catalog setuid and setgid program
files.
Can anyone give me a pointer to this, or to similar commercial programs that
can be used for a periodic security audit?
++PLSjik@athena.mit.edu (Jonathan I. Kamens) (03/20/91)
In article <40371@cup.portal.com>, PLS@cup.portal.com (Paul L Schauble) writes: |> I have a vague recollection of a program posted to comp.sources a while |> back that would scan a filesystem and catalog setuid and setgid program |> files. I believe what you're referring to is the "COPS" package. Versions of it were posted to comp.sources.unix and alt.sources, and are therefore available at any sites that archive those newsgroups (e.g. uunet.uu.net or wuarchive.wustl.edu). Furthermore, here are a few ftp sites that have it available: Host File ------------------------------- ---------------------------- arthur.cs.purdue.edu /pub/COPS/cops.tar gumby.dsd.trw.com /pub/security/cops.102.tar.Z nuri.inria.fr /system/cops-1.02.tar.Z svin02.info.win.tue.nl /system/cops1.02.tar.Z flop.informatik.tu-muenchen.de /pub/cops.102.tar.Z (I found these sites by telnet'ing to quiche.cs.mcgill.ca as archie (no password) and typing "set search sub", "set sortby time" and then "prog cops". If you don't telnet access, you can send mail to archie@quiche.cs.mcgill.ca to make queries, e.g. with mail body "prog cops". Of course, if you don't know the name of the package you're looking for, this doesn't help you much. :-) If you don't have anonymous ftp access, you can get to the anonymous ftp servers using the bitftp server at pucc.princeton.edu. Send mail to bitftp@pucc.princeton.edu with body "help" for more information. -- Jonathan Kamens USnail: MIT Project Athena 11 Ashford Terrace jik@Athena.MIT.EDU Allston, MA 02134 Office: 617-253-8085 Home: 617-782-0710
jc@minya.UUCP (John Chambers) (03/26/91)
In article <40371@cup.portal.com>, PLS@cup.portal.com (Paul L Schauble) writes: > I have a vague recollection of a program posted to comp.sources a while > back that would scan a filesystem and catalog setuid and setgid program > files. > > Can anyone give me a pointer to this, or to similar commercial programs that > can be used for a periodic security audit? Hardly a need for a special program. What I do is: find / -user root -perm -4000 -exec ls -ld {} ';' This of course only checks for setuid-root programs, which are the really suspicious ones. To answer your question more exactly: find / -perm -4000 -o -perm -0200 -exec ls -ld {} ';' (Actually, I wouldn't be very surprised to find that someone had written a separate program to duplicate this special case. People do silly things like that all the time. ;-) -- All opinions Copyright (c) 1991 by John Chambers. Inquire for licensing at: Home: 1-617-484-6393 Work: 1-508-486-5475 Uucp: ...!{bu.edu,harvard.edu,ima.com,eddie.mit.edu,ora.com}!minya!jc
bjorn@sysadmin.sysadmin.com (Bjorn Satdeva) (03/27/91)
In <612@minya.UUCP> jc@minya.UUCP (John Chambers) writes: >> [Question about periodic security audit deleted.] >Hardly a need for a special program. What I do is: > [Solution using find deleted] >(Actually, I wouldn't be very surprised to find that someone had written >a separate program to duplicate this special case. People do silly things >like that all the time. ;-) John, Writing a program which does this kind of test is not necessary silly. If you are responsible for a large number of systems, and run the test automatically from cron, you only want to hear about the problems, not all the OK stuff. References to security audit programs are COPS (posted to comp.unix.sources), SPY (LISA proceedings 1989 [I think]) and SECURE in the UNIX Security Book by W&K. The last is a good starting point for how to write your own sequrity audit (app. 60 pages shell scripts), but don't expect to use it as is, unless you run vanilla SYS V rel 2. Bjorn -- Bjorn Satdeva -- email: bjorn@sysadmin.com or uunet!sysadmin!bjorn /sys/admin, inc. The Unix System Management Experts (408) 241 3111 Send requests to the SysAdmin mailing list to sysadm-list-request@sysadmin.com
bush@ecs.ox.ac.uk (Mark Bush) (03/27/91)
In article <612@minya.UUCP> jc@minya.UUCP (John Chambers) writes: >In article <40371@cup.portal.com>, PLS@cup.portal.com (Paul L Schauble) writes: >> I have a vague recollection of a program posted to comp.sources a while >> back that would scan a filesystem and catalog setuid and setgid program >> files. > > find / -perm -4000 -o -perm -0200 -exec ls -ld {} ';' > Hmmm...your `ld' flags suggest you mean to find directories? Personally, I prefer to ignore directories when I do these searches...the set groupid flag on directories is used a lot here (SunOS). Add a `! -type d' to the list to ignore them...makes the output easier to peruse. 8*) What I run here on each filesystem containing user areas is: find . -xdev \! -type d \( -perm -04000 -o -perm -02000 \) -ls -exec file {} \; (The -xdev is not normally needed, but, on the server, I may find the need for mounting things in strange places! 8*) Mark