Security Tools in Linux Distributions, Part II

In part
one of this article, I talked about some of the different
methods you could use to monitor your system, focusing on those
included in Red Hat 7.3. Now, we move on to the SuSE
distribution.SuSE 8.0's installation program allows the software packages
to be viewed as groups or as package sets. To make things easier,
one package application group is called
security. The only hardening or
monitoring tools installed by default is tcp_wrappers. Applications
that are available, but not installed by default, include Aide,
Arpwatch, Harden_suse, Logdigest, Nessus, Nmap, Saint, Scanlogd,
Seccheck, Snort and Tripwire.
Figure 2. SuSE Installation Menu with Security
Package
To check if other security packages were available, we listed
all available packages. We found both Iptraf and Ethereal listed
under the network packages set and installed by default. As you can
see, one person's network utility is another person's security
tool. Using the default installation, we added Aide, Harden_suse,
Logdigest, Nessus, Scanlogd, Seccheck, Saint and Snort as optional
tools to the installation.System HardeningAgain, the first step to secure a system is to remove all the
unwanted services. SuSE uses Inetd to listen for a connection and
the YaST2 (yet another setup tool) configuration tool to
graphically edit network services. YaST2 showed that time, Telnet,
rlogin and finger services were activated by default and that
Telnet, rlogin and finger were routed through tcpd for access
control. We disabled all three as services we did not want, then
checked to make sure OpenSSH was started as a dæmon in
/etc/rc.d/sshd as a secure replacement for these services.The next step in the security check is ensuring that the
critical system files do not have weak file permissions. SuSE has a
security script, Harden_suse, which secures the operating system
and makes it resistant to attacks. A strange thing happens when
using Harden_suse, however: the script issues a warning that the
script is only verified to work on SuSE 5.3 up to 7.2. SuSE changed
the filesystem in 8.0 to be Linux Standards Base compliant, which
may have broken the script. This warning, followed by a second
warning that said "the script will secure your system which means
it will disable almost all services on the system and tamper with
some configuration file", made me very wary. Rather than take a
risk of an unsupported script that will disable my system, I left
it alone.Fortunately, SuSE's YaST2 control center also has a security
setting control tool, part of the Security and Users menu. It
allows root to define a set of local security configurations,
including password settings, user creation settings, console
behavior and file permissions. The security settings have the
default filesystem permissions set to "easy". This means most
system files are readable by root, but not by other users. The more
stringent "secure" setting restricts the files that can be viewed
by root. And the "paranoid" setting requires that users who run
applications be predefined. A list of the system files, their
ownership and file permissions is located in /etc/permission.easy,
/etc/permission.secure and /etc/permissions.paranoid. Users can
even customize their own file permission setting by adding
themselves to /etc/permissions.local. The YaST2 security setting
control tool performs many of the same functions as Harden_suse and
uses an interactive graphical menu. Most users should be
comfortable with the easy or secure settings. Select "paranoid"
only if you are sure you need it.
Figure 3. YaST2 Security Set
Host System MonitoringSuSE 8.0 includes Aide, Logdigest, Nmap, Seccheck and
Tripwire as optional HIDS programs. Nmap works in the same way as
it does in Red Hat. Tripwire works almost the same, except there is
no database installation script, such as twinstall.sh in Red Hat,
nor it there crontab, which we will note again later.Seccheck, security checker, is a host security analyzer with
three different levels of scans. When Seccheck is installed, it
automatically adds a crontab, /etc/cron.d/seccheck, to run daily,
weekly and monthly security checks.The Seccheck daily, run at midnight, checks for user security
vulnerabilities, system abnormalities, modules changes and port
changes. It also checks for changes in user and group information
and for common weaknesses that may indicate an intrusion. The
changes from the last daily Seccheck run are then mailed to root.
See Table 2 for a list of checks in the daily scan.Table 2: SuSE Daily Security Check/etc/passwd checkLength/number/contents of fields, accounts with same
uid accounts with uid/gid of 0 or 1 beside root and bin/etc/shadow checkLength/number/contents of fields, accounts with no
password/etc/group checkLength/number/contents of fieldsUser root checksSecure umask and PATH/etc/ftpusersChecks if important system users are put there/etc/aliasesChecks for mail aliases which execute programs.rhosts checkChecks if users' .rhosts file contain + signsHome directoryChecks if home directories are writable or owned by
someone elsedot-files checkChecks many dot-files in the home directories if they
are writable or owned by someone elseMailbox checkChecks if user mailboxes are owned by user and
unreadableNFS export checkExports should not be exported globallyNFS import checkNFS mounts should have the "nosuid" option setPromisc checkChecks if network cards are in promiscuous modelist modulesLists loaded moduleslist socketsLists open portsCopied
from Marc Heuse.The weekly security check is a more exhaustive user and file
system check, checks that are important but too intensive to run
daily. The weekly scripts are run every Monday at 1:00am. They
include checks for weak passwords, changes in the system files,
files and executables that are group or world writable and all
system devices. Again, only the differences from the previous
weekly security scan are mailed to root. See Table 3 for a list of
checks in the weekly scan.Table 3. SuSE Weekly Security CheckPassword checkRuns john to crack the password file, user will get an
email notice to change his passwordrpm md5 checkChecks for changed files via rpm's md5 checksum
featuresuid/sgid checkLists all suid and sgid filesexec group writeLists all executables which are group/world
writableWritable checkLists all files which are world writable (incl.
Above)Device checkLists all devicesAlso copied from Marc Heuse.The monthly security check is run on the first day of every
month at 4:00am, and it sends a complete set of information in both
daily and weekly checks to root. One pitfall of using Seccheck is
that one has to pay attention to when changes are reported. Since
only changes to the system from the last Seccheck analysis are
e-mailed, anomalies appear only once. If you miss a change, you may
not catch suspicious activity for a week or even a month.Seccheck is a good set of security auditing tools that
monitor many of the user-related vulnerabilities. It is surprising
that is it not enabled by default.Even though Seccheck has a filesystem integrity check, it is
always better to install a separate system integrity checker with
control of the file signature database. SuSE has both Aide and
Tripwire as optional HIDS. Since I already discussed Tripwire in
the Red Hat example, I am using Aide for this SuSE example. Aide
(advanced intrusion detection environment), is a file integrity
checker and free replacement to Tripwire. It does not have some of
the licensing restrictions of Tripwire. To start using Aide, simply
run#aide - - initto create the Aide database. SuSE has the Aide configuration
file in /etc/aide.conf and the database is written into
/var/lib/aide/aide.db.new. To use check the filesystem use# aide - - checkAide can be run daily to report changes in the filesystem,
the same way Tripwire is ran. SuSE also does not include a crontab
to run Aide automatically, the way Red Hat does with Tripwire. Nor
does the Tripwire package on SuSE automatically add a Tripwire
crontab. Aide and Tripwire can be used both as an alarm to a system
penetration and for intrusion recovery. Both are good; use at least
one of them.Logdigest is a log analysis and reporting tool that can be
optionally installed in SuSE. Based on Logcheck by Psionic
Technologies, Logdigest scans log files, sorts the information and
e-mails an analysis to the system administrator. Logdigest uses a
keyword system to prioritize the log entries, presenting system
attacks and unusual events first. It extends Logcheck's report by
adding information about the system's mail queue, usage status,
network device status and disk usage information to the
report.Logdigest is installed in /etc/cron.daily as
aaa_base_logdigest. The Logdigest configuration file and keyword
files are installed in /etc/logdigest. The configuration file and
keyword files allow system administers to define which log entries
to prioritize, which log entries to ignore, which logs to parse,
who to send the report to and if extended system status information
should be added. The Logdigest report is most useful if as much
system information is analyzed as possible. By default, Logdigest
only scans /var/log/messages, the system information log file, and
/var/log/mail, the mail information log file. To increase
Logdigest's efficiency, either add all the system logs to the list
of logs scanned by Logdigest or reconfigure the syslog dæmon
to log all information to /var/log/messages. Reconfiguring syslog,
by editing /etc/syslog.conf, to log all message to
/var/log/messages insures that no log files will be left out and no
information will be missed. Logdigest should be run daily but
before the log files are rotated.Network MonitoringSuSE installs Iptraf and Ethereal by default and Arpwatch,
Snort, Saint and Nessus as optional packages.Since Iptraf, Ethereal and Arpwatch work in the same way as
do the versions in Red Hat, I'll concentrate on the other tools
selected earlier in our installation: Scanlogd, Snort, Saint and
Nessus.Scanlogd is system dæmon that logs portscans to the
system logs. Scanlogd can be started as a network dæmon from
/etc/rc.d/scanlogd. It logs scans if at least "7 privileged ports
or 21 non-privileged ports, or a weighted average of the two have
been access, with no longer than 3 seconds between the accesses".
Scanlogd can be run continuously to monitor for hackers probing the
system. Because Scanlogd logs only scans to syslog, it depends on
the system administrator to monitor the logs and take
action.Snort is a network intrusion detection tool that can log and
analyze packets in real time. It can detect a variety of port
scans, probes, OS fingerprinting and attacks. Snort is a modular
rules-based system that detects a number of attacks, not only Linux
and UNIX but also Microsoft attacks. It provides real-time alerts
to the host via syslog or to a remote host via a UNIX
socket.Snort can be started as a network dæmon from
/etc/rc.d/snort. Users will want to add their home network
information to the Snort configuration file in
/etc/snort/snort.conf. The /etc/snort directory contains many
attack signature modules, including signatures for IIS, DNS,
finger, FTP, NetBIOS, Telnet, ColdFusion and FrontPage attacks.
Snort should be run continuously to monitor for attacks. It
provides great information, but it also depends on the system
administrator to check the logs and take action.Finally, Saint (Security Administrator's Integrated Network
Tool) and Nessus are optional NIDS tools. They are vulnerability
scanners rather than network monitors. They scan target hosts,
determine which applications are running and report if any known
vulnerabilities are found.Sanit is a web-based vulnerability scanner. It gathers
information about networks and hosts and displays the information
using a standard browser, such as Netscape or Konqueror. Running
Saint on SuSE is as easy as typing# saintin an X terminal. In the past, Saint required the system to
have a fully qualified domain name and other authentication to
work, but no longer. It includes options for a variety of scans,
including an option to scan for only the SANS top 20 Internet
Security Vulnerabilities. Saint is a good tool to run after you
have secured your system. It help you verify that your system is
secured from know vulnerabilities.
Figure 4. Saint Browser Menu
Nessus is a client/server distributed program that also can
test multiple servers for a wide range of vulnerabilities. The
server portion of Nessus can be started as a dæmon from
/etc/rc.d/nessusd. The client, nessus, controls the scans and
displays the report, and it can run as an X, Java or MS-window
client. The Nessus server dæmon asks you to create encrypted
user/password keys using the nessus-adduser command, if you have
not already created them. This prevents unauthorized users from
connecting to the server and running scans. A Nessus check shows a
system's vulnerabilities and makes recommendations on changes to
improve security. The Nessusd dæmon should be ran as needed;
otherwise it uses up resources and creates a service that could be
hacked.ConclusionsSecuring a Red Hat or SuSE system has been made much simpler
with the security tools now available on each distribution. Both
Red Hat and SuSE have good security addons. Red Hat tools include
Tripwire and Logwatch as HIDS and Arpwatch, Ethereal and Iptraf as
NIDS. SuSE offers system hardening tools, part of YaST2 security
control center, as well as Seccheck, Tripwire, Aide and Logdigest
as HIDS. Ethereal, Iptraf, Scanlogd, Saint, Snort and Nessus all
are available as NIDS. Spend a little time finding and using the
tools on a distribution during the installation process. It can
save you a lot of time and help keep your system secure.ResourcesFor more detail discussions of the tools in this article,
see:"Using xinetd", Jose
Nazario, Linux Journal, March 2001."Checking Your Work with Scanners,
Part 1: nmap", Mick Bauer, Linux
Journal, May 2001."Intrusion Detection for the
Masses", Mick Bauer Linux Journal,
July 2001."Understanding IDS for
Linux", Pedro Bueno, Linux Journal,
May 2002."Checking Your Work with Scanners,
Part II: Nessus", Mick Bauer, Linux
Journal, May 2001.For more information about Linux distribution features, see
"2001 Linux
Functional Review", D.H. Brown Associates, Inc, September
2001.For more information on widely used security tools, visit
"Top 50 Security
Tools"Security Consensus
Operational Readiness Evaluation, Linux.doc
ChecklistFor more information about Harden_Suse, visit
Marc Heuse's
web site.For more about scanlogd, see the Scanlogd man page.Bobby S. Wen is a senior
technical manager with two engineering degrees and an MBA. He
started playing with Linux in 1994 and has been addicted ever
since. In his spare time, he tries to prevent his children from
hacking into the home gateway server and turning on chat and file
sharing.

email: bwen@yahoo.com