Security Tools in Linux Distributions, Part II
In part one of this article, I talked about some of the different methods you could use to monitor your system, focusing on those included in Red Hat 7.3. Now, we move on to the SuSE distribution.
SuSE 8.0's installation program allows the software packages to be viewed as groups or as package sets. To make things easier, one package application group is called security. The only hardening or monitoring tools installed by default is tcp_wrappers. Applications that are available, but not installed by default, include Aide, Arpwatch, Harden_suse, Logdigest, Nessus, Nmap, Saint, Scanlogd, Seccheck, Snort and Tripwire.
To check if other security packages were available, we listed all available packages. We found both Iptraf and Ethereal listed under the network packages set and installed by default. As you can see, one person's network utility is another person's security tool. Using the default installation, we added Aide, Harden_suse, Logdigest, Nessus, Scanlogd, Seccheck, Saint and Snort as optional tools to the installation.
Again, the first step to secure a system is to remove all the unwanted services. SuSE uses Inetd to listen for a connection and the YaST2 (yet another setup tool) configuration tool to graphically edit network services. YaST2 showed that time, Telnet, rlogin and finger services were activated by default and that Telnet, rlogin and finger were routed through tcpd for access control. We disabled all three as services we did not want, then checked to make sure OpenSSH was started as a dæmon in /etc/rc.d/sshd as a secure replacement for these services.
The next step in the security check is ensuring that the critical system files do not have weak file permissions. SuSE has a security script, Harden_suse, which secures the operating system and makes it resistant to attacks. A strange thing happens when using Harden_suse, however: the script issues a warning that the script is only verified to work on SuSE 5.3 up to 7.2. SuSE changed the filesystem in 8.0 to be Linux Standards Base compliant, which may have broken the script. This warning, followed by a second warning that said "the script will secure your system which means it will disable almost all services on the system and tamper with some configuration file", made me very wary. Rather than take a risk of an unsupported script that will disable my system, I left it alone.
Fortunately, SuSE's YaST2 control center also has a security setting control tool, part of the Security and Users menu. It allows root to define a set of local security configurations, including password settings, user creation settings, console behavior and file permissions. The security settings have the default filesystem permissions set to "easy". This means most system files are readable by root, but not by other users. The more stringent "secure" setting restricts the files that can be viewed by root. And the "paranoid" setting requires that users who run applications be predefined. A list of the system files, their ownership and file permissions is located in /etc/permission.easy, /etc/permission.secure and /etc/permissions.paranoid. Users can even customize their own file permission setting by adding themselves to /etc/permissions.local. The YaST2 security setting control tool performs many of the same functions as Harden_suse and uses an interactive graphical menu. Most users should be comfortable with the easy or secure settings. Select "paranoid" only if you are sure you need it.
SuSE 8.0 includes Aide, Logdigest, Nmap, Seccheck and Tripwire as optional HIDS programs. Nmap works in the same way as it does in Red Hat. Tripwire works almost the same, except there is no database installation script, such as twinstall.sh in Red Hat, nor it there crontab, which we will note again later.
Seccheck, security checker, is a host security analyzer with three different levels of scans. When Seccheck is installed, it automatically adds a crontab, /etc/cron.d/seccheck, to run daily, weekly and monthly security checks.
The Seccheck daily, run at midnight, checks for user security vulnerabilities, system abnormalities, modules changes and port changes. It also checks for changes in user and group information and for common weaknesses that may indicate an intrusion. The changes from the last daily Seccheck run are then mailed to root. See Table 2 for a list of checks in the daily scan.
Length/number/contents of fields, accounts with same uid accounts with uid/gid of 0 or 1 beside root and bin
Length/number/contents of fields, accounts with no password
Length/number/contents of fields
User root checks
Secure umask and PATH
Checks if important system users are put there
Checks for mail aliases which execute programs
Checks if users' .rhosts file contain + signs
Checks if home directories are writable or owned by someone else
Checks many dot-files in the home directories if they are writable or owned by someone else
Checks if user mailboxes are owned by user and unreadable
NFS export check
Exports should not be exported globally
NFS import check
NFS mounts should have the "nosuid" option set
Checks if network cards are in promiscuous mode
Lists loaded modules
Lists open ports
The weekly security check is a more exhaustive user and file system check, checks that are important but too intensive to run daily. The weekly scripts are run every Monday at 1:00am. They include checks for weak passwords, changes in the system files, files and executables that are group or world writable and all system devices. Again, only the differences from the previous weekly security scan are mailed to root. See Table 3 for a list of checks in the weekly scan.
Runs john to crack the password file, user will get an email notice to change his password
rpm md5 check
Checks for changed files via rpm's md5 checksum feature
Lists all suid and sgid files
exec group write
Lists all executables which are group/world writable
Lists all files which are world writable (incl. Above)
Lists all devices
Also copied from Marc Heuse.
The monthly security check is run on the first day of every month at 4:00am, and it sends a complete set of information in both daily and weekly checks to root. One pitfall of using Seccheck is that one has to pay attention to when changes are reported. Since only changes to the system from the last Seccheck analysis are e-mailed, anomalies appear only once. If you miss a change, you may not catch suspicious activity for a week or even a month.
Seccheck is a good set of security auditing tools that monitor many of the user-related vulnerabilities. It is surprising that is it not enabled by default.
Even though Seccheck has a filesystem integrity check, it is always better to install a separate system integrity checker with control of the file signature database. SuSE has both Aide and Tripwire as optional HIDS. Since I already discussed Tripwire in the Red Hat example, I am using Aide for this SuSE example. Aide (advanced intrusion detection environment), is a file integrity checker and free replacement to Tripwire. It does not have some of the licensing restrictions of Tripwire. To start using Aide, simply run
#aide - - init
to create the Aide database. SuSE has the Aide configuration file in /etc/aide.conf and the database is written into /var/lib/aide/aide.db.new. To use check the filesystem use
# aide - - check
Aide can be run daily to report changes in the filesystem, the same way Tripwire is ran. SuSE also does not include a crontab to run Aide automatically, the way Red Hat does with Tripwire. Nor does the Tripwire package on SuSE automatically add a Tripwire crontab. Aide and Tripwire can be used both as an alarm to a system penetration and for intrusion recovery. Both are good; use at least one of them.
Logdigest is a log analysis and reporting tool that can be optionally installed in SuSE. Based on Logcheck by Psionic Technologies, Logdigest scans log files, sorts the information and e-mails an analysis to the system administrator. Logdigest uses a keyword system to prioritize the log entries, presenting system attacks and unusual events first. It extends Logcheck's report by adding information about the system's mail queue, usage status, network device status and disk usage information to the report.
Logdigest is installed in /etc/cron.daily as aaa_base_logdigest. The Logdigest configuration file and keyword files are installed in /etc/logdigest. The configuration file and keyword files allow system administers to define which log entries to prioritize, which log entries to ignore, which logs to parse, who to send the report to and if extended system status information should be added. The Logdigest report is most useful if as much system information is analyzed as possible. By default, Logdigest only scans /var/log/messages, the system information log file, and /var/log/mail, the mail information log file. To increase Logdigest's efficiency, either add all the system logs to the list of logs scanned by Logdigest or reconfigure the syslog dæmon to log all information to /var/log/messages. Reconfiguring syslog, by editing /etc/syslog.conf, to log all message to /var/log/messages insures that no log files will be left out and no information will be missed. Logdigest should be run daily but before the log files are rotated.
SuSE installs Iptraf and Ethereal by default and Arpwatch, Snort, Saint and Nessus as optional packages.
Since Iptraf, Ethereal and Arpwatch work in the same way as do the versions in Red Hat, I'll concentrate on the other tools selected earlier in our installation: Scanlogd, Snort, Saint and Nessus.
Scanlogd is system dæmon that logs portscans to the system logs. Scanlogd can be started as a network dæmon from /etc/rc.d/scanlogd. It logs scans if at least "7 privileged ports or 21 non-privileged ports, or a weighted average of the two have been access, with no longer than 3 seconds between the accesses". Scanlogd can be run continuously to monitor for hackers probing the system. Because Scanlogd logs only scans to syslog, it depends on the system administrator to monitor the logs and take action.
Snort is a network intrusion detection tool that can log and analyze packets in real time. It can detect a variety of port scans, probes, OS fingerprinting and attacks. Snort is a modular rules-based system that detects a number of attacks, not only Linux and UNIX but also Microsoft attacks. It provides real-time alerts to the host via syslog or to a remote host via a UNIX socket.
Snort can be started as a network dæmon from /etc/rc.d/snort. Users will want to add their home network information to the Snort configuration file in /etc/snort/snort.conf. The /etc/snort directory contains many attack signature modules, including signatures for IIS, DNS, finger, FTP, NetBIOS, Telnet, ColdFusion and FrontPage attacks. Snort should be run continuously to monitor for attacks. It provides great information, but it also depends on the system administrator to check the logs and take action.
Finally, Saint (Security Administrator's Integrated Network Tool) and Nessus are optional NIDS tools. They are vulnerability scanners rather than network monitors. They scan target hosts, determine which applications are running and report if any known vulnerabilities are found.
Sanit is a web-based vulnerability scanner. It gathers information about networks and hosts and displays the information using a standard browser, such as Netscape or Konqueror. Running Saint on SuSE is as easy as typing
in an X terminal. In the past, Saint required the system to have a fully qualified domain name and other authentication to work, but no longer. It includes options for a variety of scans, including an option to scan for only the SANS top 20 Internet Security Vulnerabilities. Saint is a good tool to run after you have secured your system. It help you verify that your system is secured from know vulnerabilities.
Nessus is a client/server distributed program that also can test multiple servers for a wide range of vulnerabilities. The server portion of Nessus can be started as a dæmon from /etc/rc.d/nessusd. The client, nessus, controls the scans and displays the report, and it can run as an X, Java or MS-window client. The Nessus server dæmon asks you to create encrypted user/password keys using the nessus-adduser command, if you have not already created them. This prevents unauthorized users from connecting to the server and running scans. A Nessus check shows a system's vulnerabilities and makes recommendations on changes to improve security. The Nessusd dæmon should be ran as needed; otherwise it uses up resources and creates a service that could be hacked.
Securing a Red Hat or SuSE system has been made much simpler with the security tools now available on each distribution. Both Red Hat and SuSE have good security addons. Red Hat tools include Tripwire and Logwatch as HIDS and Arpwatch, Ethereal and Iptraf as NIDS. SuSE offers system hardening tools, part of YaST2 security control center, as well as Seccheck, Tripwire, Aide and Logdigest as HIDS. Ethereal, Iptraf, Scanlogd, Saint, Snort and Nessus all are available as NIDS. Spend a little time finding and using the tools on a distribution during the installation process. It can save you a lot of time and help keep your system secure.
For more detail discussions of the tools in this article, see:
"Using xinetd", Jose Nazario, Linux Journal, March 2001.
"Checking Your Work with Scanners, Part 1: nmap", Mick Bauer, Linux Journal, May 2001.
"Intrusion Detection for the Masses", Mick Bauer Linux Journal, July 2001.
"Understanding IDS for Linux", Pedro Bueno, Linux Journal, May 2002.
"Checking Your Work with Scanners, Part II: Nessus", Mick Bauer, Linux Journal, May 2001.
For more information about Linux distribution features, see "2001 Linux Functional Review", D.H. Brown Associates, Inc, September 2001.
For more information on widely used security tools, visit "Top 50 Security Tools"
Security Consensus Operational Readiness Evaluation, Linux.doc Checklist
For more information about Harden_Suse, visit Marc Heuse's web site.
For more about scanlogd, see the Scanlogd man page.
Bobby S. Wen is a senior technical manager with two engineering degrees and an MBA. He started playing with Linux in 1994 and has been addicted ever since. In his spare time, he tries to prevent his children from hacking into the home gateway server and turning on chat and file sharing.