S 4.26 Regular security checks of Unix systems

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Unix operating systems by default offer various security features. However, these can only become effective if they are used properly. The settings required for this purpose should be automatically checked by means of tools so that

• it will be possible to detect and to remedy inconsistencies within a Unix system; and

• the system administrator will be able to manage the Unix operating system by making optimum use of the existing security mechanisms.

Such checks can be made with programs available in the given Unix system, individually developed shell scripts or PD programs. For some Unix variants, commercial programs are available as well.

Examples:

• pwck

This is one of the standard operating system commands. With this command, a consistency check is made of the /etc/passwd file. This is to verify whether all required entries have been made, whether the log-in directory for the user exists, and whether the log-in program is in existence. Similar functions are provided by the additional logins command for Unix SVR4 with which it is also possible to locate accounts without a password.

• grpck

With this command, a consistency check is made of the /etc/group file. This command is also one of the standard operating system commands. This is to check whether all required entries have been made, whether the members of a group are actually included in the user password file and whether the group number tallies with the number given in that file.

• tripwire

Using this program, integrity cheks of files can be carried out. Checksums of files are created and stored in a data base. tripwire is available in various free versions.

• cops

This public domain program serves to check the security of Unix systems, e.g. various system settings, access rights, SUID files etc, are checked and potential security loopholes highlighted.

• tiger

With this Public-Domain program, Unix systems can be checked for security weaknesses. The program works similar to cops.

• SATAN

Using this public domain program, the network security can be analysed. It checks networked Unix systems for known deficiencies which have often not been eliminated.

• USEIT

This tool for secure Unix administration was developed by the BSI to enable system administrators to automatically check the security settings of a Unix system with a tool. Further information on USEIT can be obtained from the IT baseline protection CD.

• crack

With this public domain program, a check is made of whether the existing passwords are too simple and can be easily guessed.

Additional controls:

• Are the execution and the results of such security checks being documented?

• Which vulnerabilities are checked by means of the used programs and shell scripts?