by Graham Williams
|
|
GNU/Linux Desktop Survival Guide
by Graham Williams |
|
|||
Security Check | 
|
Visit Shields Up to test the security of your machine. This web site will contact your host and perform a number of very informative security tests.
The nessus package is an excellent package for checking known security problems. Install on one machine both nessus (the client) and nessusd (the server).
For nessusd you need to create a user account using nessusd-adduser. One suggestion is to simply create a user with the same name as your user account (e.g., kayon). Then start the daemon (server) with:
# nessusd -D |
Note that this daemon is not automatically run within the /etc/init.d framework.
As a user start up the nessus client and login with your user name. Go to the Target selection tab and type in a list of hosts you wish to check, comma separated. If you want to test all machine on your network, try something like 192.167.0.1/24.
After you click Start the scan the checking is initiated. Eventually a report will be presented. You can save the report in various formats, including LATEX.
The testing is extensive and the report provides suggestions for eliminating security holes.
The chkrootkit package provides the chkrootkit command to check for signs of rootkits on the local system. Run the command as root and scan the output for warnings.
# chkrootkit ROOTDIR is `/' Checking `amd'... not found Checking `basename'... not infected Checking `biff'... not found Checking `chfn'... not infected Checking `chsh'... not infected Checking `cron'... not infected Checking `date'... not infected Checking `du'... not infected Checking `dirname'... not infected Checking `echo'... not infected Checking `egrep'... not infected Checking `env'... not infected Checking `find'... not infected Checking `fingerd'... not found Checking `gpm'... not found Checking `grep'... not infected Checking `hdparm'... not infected Checking `su'... not infected Checking `ifconfig'... not infected Checking `inetd'... not infected Checking `inetdconf'... not infected Checking `identd'... not found Checking `init'... not infected Checking `killall'... not infected Checking `ldsopreload'... not infected Checking `login'... not infected Checking `ls'... not infected Checking `lsof'... not found Checking `mail'... not infected Checking `mingetty'... not found Checking `netstat'... not infected Checking `named'... not found Checking `passwd'... not infected Checking `pidof'... not infected Checking `pop2'... not found Checking `pop3'... not found Checking `ps'... not infected Checking `pstree'... not infected Checking `rpcinfo'... not infected Checking `rlogind'... not found Checking `rshd'... not found Checking `slogin'... not infected Checking `sendmail'... not infected Checking `sshd'... not infected Checking `syslogd'... not infected Checking `tar'... not infected Checking `tcpd'... not infected Checking `tcpdump'... not infected Checking `top'... not infected Checking `telnetd'... not found Checking `timed'... not found Checking `traceroute'... not found Checking `vdir'... not infected Checking `w'... not infected Checking `write'... not infected Checking `aliens'... no suspect files Searching for sniffer's logs, it may take a while... nothing found Searching for HiDrootkit's default dir... nothing found Searching for t0rn's default files and dirs... nothing found Searching for t0rn's v8 defaults... nothing found Searching for Lion Worm default files and dirs... nothing found Searching for RSHA's default files and dir... nothing found Searching for RH-Sharpe's default files... nothing found Searching for Ambient's rootkit (ark) default files and dirs... nothing found Searching for suspicious files and dirs, it may take a while... nothing found Searching for LPD Worm files and dirs... nothing found Searching for Ramen Worm files and dirs... nothing found Searching for Maniac files and dirs... nothing found Searching for RK17 files and dirs... nothing found Searching for Ducoci rootkit... nothing found Searching for Adore Worm... nothing found Searching for ShitC Worm... nothing found Searching for Omega Worm... nothing found Searching for Sadmind/IIS Worm... nothing found Searching for MonKit... nothing found Searching for Showtee... nothing found Searching for OpticKit... nothing found Searching for T.R.K... nothing found Searching for Mithra... nothing found Searching for OBSD rk v1... nothing found Searching for LOC rootkit ... nothing found Searching for Romanian rootkit ... nothing found Searching for Suckit rootkit ... nothing found Searching for Volc rootkit ... nothing found Searching for Gold2 rootkit ... nothing found Searching for TC2 Worm default files and dirs... nothing found Searching for Anonoying rootkit default files and dirs... nothing found Searching for ZK rootkit default files and dirs... nothing found Searching for ShKit rootkit default files and dirs... nothing found Searching for anomalies in shell history files... nothing found Checking `asp'... not infected Checking `bindshell'... not infected Checking `lkm'... You have 5 process hidden for ps command Warning: Possible LKM Trojan installed Checking `rexedcs'... not found Checking `sniffer'... eth0 is not promisc Checking `w55808'... not infected Checking `wted'... nothing deleted Checking `scalper'... not infected Checking `slapper'... not infected Checking `z2'... nothing deleted |
Note that with current versions of ps and chkrootkit (as of 3 December 2003), ps reports the PID of some kernel processes as 0 which chkrootkit does not match to the process. Output from ps is:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 1484 488 ? S Dec02 0:00 init root 2 0.0 0.0 0 0 ? SW Dec02 0:00 keventd root 0 0.0 0.0 0 0 ? SWN Dec02 0:00 ksoftirqd_CPU0 root 0 0.0 0.0 0 0 ? SWN Dec02 0:00 ksoftirqd_CPU1 root 0 0.0 0.0 0 0 ? SW Dec02 0:00 kswapd root 0 0.0 0.0 0 0 ? SW Dec02 0:00 bdflush root 0 0.0 0.0 0 0 ? SW Dec02 0:00 kupdated root 22 0.0 0.0 0 0 ? SW Dec02 0:00 aacraid |
For LKM warnings you can get the process ID with:
# chkrootkit -x lkm ROOTDIR is `/' ### ### Output of: ./chkproc -v -v ### PID 3: not in ps output CWD 3: / EXE 3: / PID 4: not in ps output CWD 4: / EXE 4: / PID 5: not in ps output CWD 5: / EXE 5: / PID 6: not in ps output CWD 6: / EXE 6: / PID 7: not in ps output CWD 7: / EXE 7: / You have 5 process hidden for ps command |
The process information can be checked in /proc/
process
id
/status:
$ cat /proc/3/status Name: ksoftirqd_CPU0 State: S (sleeping) Tgid: 0 Pid: 3 PPid: 1 TracerPid: 0 Uid: 0 0 0 0 Gid: 0 0 0 0 FDSize: 32 Groups: SigPnd: 0000000000000000 SigBlk: ffffffffffffffff SigIgn: 0000000000000000 SigCgt: 0000000000000000 CapInh: 0000000000000000 CapPrm: 00000000ffffffff CapEff: 00000000fffffeff |
You can also look at the processes involved in the pstree:
$ pstree -p |grep '([34567])'
|-bdflush(6)
|-ksoftirqd_CPU0(3)
|-ksoftirqd_CPU1(4)
|-kswapd(5)
|-kupdated(7)
|