IT Baseline Protection Manual S 4.26 Regular security checks of Unix systems
S 4.26 Regular security checks of Unix systems
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Unix operating systems by default offer various security features. However, these can only become effective if they are used properly. The settings required for this purpose should be automatically checked by means of tools so that
it will be possible to detect and to remedy inconsistencies within a Unix system; and
the system administrator will be able to manage the Unix operating system by making optimum use of the existing security mechanisms.
Such checks can be made with programs available in the given Unix system, individually developed shell scripts or PD programs. For some Unix variants, commercial programs are available as well.
Examples:
pwck
This is one of the standard operating system commands. With this command, a consistency check is made of the /etc/passwd file. This is to verify whether all required entries have been made, whether the log-in directory for the user exists, and whether the log-in program is in existence. Similar functions are provided by the additional logins command for Unix SVR4 with which it is also possible to locate accounts without a password.
grpck
With this command, a consistency check is made of the /etc/group file. This command is also one of the standard operating system commands. This is to check whether all required entries have been made, whether the members of a group are actually included in the user password file and whether the group number tallies with the number given in that file.
tripwire
Using this program, integrity cheks of files can be carried out. Checksums of files are created and stored in a data base. tripwire is available in various free versions.
cops
This public domain program serves to check the security of Unix systems, e.g. various system settings, access rights, SUID files etc, are checked and potential security loopholes highlighted.
tiger
With this Public-Domain program, Unix systems can be checked for security weaknesses. The program works similar to cops.
SATAN
Using this public domain program, the network security can be analysed. It checks networked Unix systems for known deficiencies which have often not been eliminated.
USEIT
This tool for secure Unix administration was developed by the BSI to enable system administrators to automatically check the security settings of a Unix system with a tool. Further information on USEIT can be obtained from the IT baseline protection CD.
crack
With this public domain program, a check is made of whether the existing passwords are too simple and can be easily guessed.
Additional controls:
Are the execution and the results of such security checks being documented?
Which vulnerabilities are checked by means of the used programs and shell scripts?