Security Tools in Linux Distributions, Part II

In part one of this article, I talked about some of the different methods you could use to monitor your system, focusing on those included in Red Hat 7.3. Now, we move on to the SuSE distribution.

SuSE 8.0's installation program allows the software packages to be viewed as groups or as package sets. To make things easier, one package application group is called security. The only hardening or monitoring tools installed by default is tcp_wrappers. Applications that are available, but not installed by default, include Aide, Arpwatch, Harden_suse, Logdigest, Nessus, Nmap, Saint, Scanlogd, Seccheck, Snort and Tripwire.

Figure 2. SuSE Installation Menu with Security Package

To check if other security packages were available, we listed all available packages. We found both Iptraf and Ethereal listed under the network packages set and installed by default. As you can see, one person's network utility is another person's security tool. Using the default installation, we added Aide, Harden_suse, Logdigest, Nessus, Scanlogd, Seccheck, Saint and Snort as optional tools to the installation.

Again, the first step to secure a system is to remove all the unwanted services. SuSE uses Inetd to listen for a connection and the YaST2 (yet another setup tool) configuration tool to graphically edit network services. YaST2 showed that time, Telnet, rlogin and finger services were activated by default and that Telnet, rlogin and finger were routed through tcpd for access control. We disabled all three as services we did not want, then checked to make sure OpenSSH was started as a dæmon in /etc/rc.d/sshd as a secure replacement for these services.

The next step in the security check is ensuring that the critical system files do not have weak file permissions. SuSE has a security script, Harden_suse, which secures the operating system and makes it resistant to attacks. A strange thing happens when using Harden_suse, however: the script issues a warning that the script is only verified to work on SuSE 5.3 up to 7.2. SuSE changed the filesystem in 8.0 to be Linux Standards Base compliant, which may have broken the script. This warning, followed by a second warning that said "the script will secure your system which means it will disable almost all services on the system and tamper with some configuration file", made me very wary. Rather than take a risk of an unsupported script that will disable my system, I left it alone.

Fortunately, SuSE's YaST2 control center also has a security setting control tool, part of the Security and Users menu. It allows root to define a set of local security configurations, including password settings, user creation settings, console behavior and file permissions. The security settings have the default filesystem permissions set to "easy". This means most system files are readable by root, but not by other users. The more stringent "secure" setting restricts the files that can be viewed by root. And the "paranoid" setting requires that users who run applications be predefined. A list of the system files, their ownership and file permissions is located in /etc/permission.easy, /etc/permission.secure and /etc/permissions.paranoid. Users can even customize their own file permission setting by adding themselves to /etc/permissions.local. The YaST2 security setting control tool performs many of the same functions as Harden_suse and uses an interactive graphical menu. Most users should be comfortable with the easy or secure settings. Select "paranoid" only if you are sure you need it.

Figure 3. YaST2 Security Set

SuSE 8.0 includes Aide, Logdigest, Nmap, Seccheck and Tripwire as optional HIDS programs. Nmap works in the same way as it does in Red Hat. Tripwire works almost the same, except there is no database installation script, such as twinstall.sh in Red Hat, nor it there crontab, which we will note again later.

Seccheck, security checker, is a host security analyzer with three different levels of scans. When Seccheck is installed, it automatically adds a crontab, /etc/cron.d/seccheck, to run daily, weekly and monthly security checks.

The Seccheck daily, run at midnight, checks for user security vulnerabilities, system abnormalities, modules changes and port changes. It also checks for changes in user and group information and for common weaknesses that may indicate an intrusion. The changes from the last daily Seccheck run are then mailed to root. See Table 2 for a list of checks in the daily scan.