creating, using and justifying the auditor's toolkit welcome general announcements
TRANSCRIPT
![Page 1: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/1.jpg)
Creating, Using and Justifying the Auditor's
Toolkit
• Welcome• General announcements
![Page 2: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/2.jpg)
Creating, Using and Justifying the Auditor's
Toolkit
ISACA PresentationApril 2003Ed Capizzi
![Page 3: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/3.jpg)
Schedule etc.
• Breakfast• Intro, admin & Methodology• Outside – In tools• Unix• Lunch• Windows• Hands on
![Page 4: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/4.jpg)
Administrivia
• Location information• Pagers and cell phones• Fire escapes• Food• Start stop times• Location of restrooms• General room rules and mood
![Page 5: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/5.jpg)
Assumptions
• Auditors have all the front end time & field work time they need
• Auditors have large budgets for tools and
training
• Auditors always get full cooperation of and
unlimited access to audit areas
• No one minds being audited
• You are already experts on everything
![Page 6: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/6.jpg)
Real World Assumptions• You have to become an expert at
everything FAST (or at least brush up!)
• You need something you can apply now• You probably run a WinTel based machine• You probably don't have admin / root level
access (of your own) to the systems you audit
• You have to be part tech, part teacher, part politician
• Even “free, industry best practices” require
some selling
![Page 7: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/7.jpg)
Real World Assumptions• This is one way to do things, not THE
way• Linux (for this presentation) is RedHat• Solaris (for this presentation) is 2.6• HP (for this presentation) is 11.x
![Page 8: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/8.jpg)
Our Approach
• Learn to fish• Basics, basics, basics • Keep it simple• Inside out, Outside in• Creative use of “indigenous resources”
(utilities included in the existing OS)• Audits (& auditors) must be
“environmentally friendly and low impact”
![Page 9: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/9.jpg)
Our Approach
1. Subsystem(s) involved
2. Best practice examples/settings
3. Ramifications of settings or principles
4. How to sell to administrators and management
5. Which tool to use to accomplish which task
![Page 10: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/10.jpg)
15 Main Areas1) Account Policies 9) Remote Access
2) Auditing 10) Scheduled Tasks
3) Device Drivers 11) System Info
4) Drives 12) Services
5) Event Log 13) Shares
6) Printer Permissions 14) Trusted Relationships
7) Processes 15) Users & Groups
8) Registry
![Page 11: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/11.jpg)
Account Policies
What are the tools?– admintool (gui-Solaris)
• /etc/default/passwd (sun)• /etc/passwd
– sam (gui-HP)
/etc/passwd
– userconf or redhat-config-users (gui Red Hat Linux)• /etc/passwd (linux)
What can they tell us?
![Page 12: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/12.jpg)
Account Policies
What can they tell us*:
o login name
o encrypted password
o numerical user ID
o numerical group ID
o reserved gecos ID
o initial working directory
o program to use as shell
BUT WE WANT MORE!
![Page 13: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/13.jpg)
Account Policies
To get more, the system has to be using: shadow passwords (Solaris / Linux)
/etc/shadow
or
“trusted system” (HP)
/tcb/files/auth/
More on this later, stay tuned...
![Page 14: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/14.jpg)
Account Policies
Where are the files? (review)
Standard systems
/etc/default/passwd (Sun)
/etc/passwd (HP & Linux)
Shadowed or trusted systems
/etc/default/passwd (Sun)
/etc/passwd (Sun & Linux)
/tcb/files/auth/ (HP)
![Page 15: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/15.jpg)
SAM
![Page 16: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/16.jpg)
Sam
![Page 17: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/17.jpg)
Sam
![Page 18: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/18.jpg)
Linuxconf
![Page 19: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/19.jpg)
Linuxconf
![Page 20: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/20.jpg)
Auditing
• user logon / logoff• system restart, start up,
shutdown• object access
![Page 21: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/21.jpg)
Auditing
Linux– /etc/syslog.conf
– /var/log/messages
Sun– /etc/syslog.conf
– /var/adm/message
HPUX– /etc/syslog.conf
– /var/adm/syslog/syslog.log
![Page 22: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/22.jpg)
Auditing
Linux & HP
dmesg -boot diagnostics & messages
Sunprtdiag
Cool tool alert!!!
Rosetta Stone for Unix!
![Page 23: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/23.jpg)
Rosetta Stone for Unix
![Page 24: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/24.jpg)
Auditing
lastb
![Page 25: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/25.jpg)
Auditing
• last
![Page 26: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/26.jpg)
Auditing
• dmesg
![Page 27: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/27.jpg)
Auditing• HPUX “Trusted System”
– passwords moved from /etc/passwd
– All users must have a password
– Check /etc/rc.config.d/auditing &
/sbin/rc2.d/S760auditing./etc/rc.config.
d/auditing for auditing control
parameters.
– /tcb/files/ttys
• uid of user log into terminal, logins
& unsuccessful logins.
![Page 28: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/28.jpg)
AuditingA.K.A Setting up syslog!
![Page 29: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/29.jpg)
Syslog.conf
• Simple text file with format ofdaemon.loglevel <Tab> log target mail.* /var/log/daemon.log
-rw------- 1 root root 702093 Mar 17 17:56 /var/log/messages
Owned by root (rw) – 'log' group (r) (if needed)– 'other' group not permissions
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
![Page 30: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/30.jpg)
Syslog.conf (con't)
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
![Page 31: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/31.jpg)
Syslog logging Levels
• emerg System is unusable• alert Action must be taken NOW• crit Critical conditions• err Error conditions• warning Warning conditions• notice Normal but significant• info FYI• debug More than you want to know
(Programmers only)
![Page 32: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/32.jpg)
Syslog targets
• /path/to/file Message appended to the given file
• @loghost Sent to syslog server on 'loghost' server
• * Message written to all loged in users
• user1,user2 Message written to user1 & user2
• /dev/console Message written to named ttys
• | /path/to/name_pipeMessage written to named pipe
![Page 33: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/33.jpg)
Device Drivers• How the system handles hard drives, keyboards or
any other peripheral attached to the system
• located in /dev
–Character Device• communicate in echoed characters
–Block Devices• communicate in 512 or 1024 blocks of
data
• Faster access
![Page 34: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/34.jpg)
Devices
• The device type is indicated by the first character in the permission block. i.e.crw--w--w- 1 root root 4, 1 Jul 19 13:26 tty1
crw--w--w- 1 root root 4, 2 Jul 19 13:26 tty2
Major device number – identifies the device driver number
Minor device number – identifies the device number
![Page 35: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/35.jpg)
Devices
• device permissions are important!• /dev/kmem = kernel memory• /dev/hda1 =hard disk
– access to this may allow dump of disk files bypassing /etc/passwd
• use groups and sudo
![Page 36: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/36.jpg)
Drives• mount – to show what is mounted• df- k, df -h to see free space • etc/fstab (/etc/vfstab - Solaris) to see
file system mount point descriptions
description of /dev/dsk -vs- /dev/rdsk
![Page 37: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/37.jpg)
Local-vs-remote
• mount• /etc/fstab• /etc/dfs/dfstab
share lists all current shares (Sun)exportfs -v lists all current shares (HP & Linux)nfsstat NFS performance statistics (HP & Sun)
![Page 38: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/38.jpg)
Event Log
• Syslog (and /etc/syslog.conf) /var/log/messages Linux/var/adm/messages HP & Suntail and / or grep Ask if Swatch or logcheck may be running
![Page 39: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/39.jpg)
Printer Permission
• /etc/hosts.lpd = hosts that can print – You can also put in /etc/hosts.equiv but
that opens them to use rservices too!– lpadmin (solaris) lsR -al /etc/lp
Linux– cat /etc/printcap.local
• shows all local printers• printtool (gui)
– Hpux – lpadmin• /etc/lp/*• /var/adm/lp*
![Page 40: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/40.jpg)
Processes
• Before we begin..
Policy
Best Practices
Goals of Security
![Page 41: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/41.jpg)
init Processinit is always process #1
(all other things that happen before this are actually
part of the kernel or kernel process)
The “system father task” that propagates all
child processes needed for operation.
Configuration file: /etc/inittab•
![Page 42: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/42.jpg)
/etc/inittab
• Defines the default run level– id:5:initdefault:
– strt:3:initdefault:• Executes and process entries that have sysinit in the action field (so
that any special initialisation takes place before the users log in).
• Defines processes for specific run levels
– rebt:6:wait:/etc/init.d/announce restart
identifier:runlevel processed at:the action:the process
![Page 43: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/43.jpg)
Runlevels• 0 – Shutdown or halt the system• 1 – Single user (administrative) mode• 2 – Basic Multi user mode (all daemons, no NFS)• 3 – Multi User Mode (all daemons and NFS)• 4 - Reserved• 5 – Reboot the system (passing through runlevel 0)• S or s – single user mode all file systems mounted
and accessible• 6 Shut down the machine /reboot
![Page 44: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/44.jpg)
Run Levels con'tHow do I display the current runlevel?• HP & Solaris
– # who -r
• run-level 3 Feb 28 10:55 3 0 S• current run level date and time of run level change current
run level number of times at this run level since last reboot
previous run level
• Linux– # /sbin/runlevel
• N 5 or 3 5 (none before and now 5 or 3 before and 5 now)
![Page 45: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/45.jpg)
rc scriptsRun Control Scripts exist for each run
level
Scripts start and/or stop all processes needed to put
system into appropriate Run Level
S start, K kill (stop)
• processed sequentially 0-99
![Page 46: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/46.jpg)
Solaris rc scriptsRun Control Scripts exist for each run level
• /sbin/rc– directory for each script
• /sbin/rc3 -> /etc/rc3.d/
– S15nfs.server
![Page 47: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/47.jpg)
Linux rc scriptsRun Control Scripts exist for each run level
• /etc/rc.d/rc.local
• /etc/rc.d/rc#– directory for each script
• /etc/rc.d/rc3
– K20nfs
![Page 48: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/48.jpg)
rc scriptsRun Control Scripts exist for each run
level
![Page 49: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/49.jpg)
HP rc scriptsRun Control Scripts exist for each run level
• /sbin/rc#.d– directory for each script
• /sbin/rc3.d/
K20nfs
![Page 50: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/50.jpg)
Processes• ps -aef• ps -aux• inet.d
/etc/inetd.conf• how to start, & stop
/etc/init.d/name start or stop, restart
• /proc directory cd /proc/proc#; ls
![Page 51: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/51.jpg)
Processes• ps -aef
![Page 52: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/52.jpg)
Processes• ps -aux
![Page 53: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/53.jpg)
Processes• inet.d
/etc/inetd.conf
![Page 54: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/54.jpg)
Processes (TOP)
![Page 55: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/55.jpg)
Processes• /etc/services
–read by inet.dnetstat 15/tcp
qotd 17/tcp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
![Page 56: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/56.jpg)
Registry Bind, SMNP, HTTP
• Bind• Snmp• HTTP
![Page 57: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/57.jpg)
Registry Bind, SMNP, HTTP
• Bind– nslookup change to that server ls -d domain name
– /etc/named.conf
![Page 58: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/58.jpg)
Registry Bind, SMNP, HTTP
• Bind– C:\>nslookup
– Default Server: hm01.mycompany.com
– Address: 10.199.128.10
– > server 10.199.128.10
– Default Server: hm01.mycompany.com
– Address: 10.10.128.10
– > ls -d mycompany.com
– [hm01.mycompany.com]
– *** Can't list domain mycompany.com: Query refused
![Page 59: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/59.jpg)
Registry Bind, SMNP, HTTP
• Bind– /etc/named.conf
cat /etc/named.conf |grep –i –A 10 ‘allow’
allow-transfer {
127.0.0.1; // localhost
10.0.0.2; // secondary DNS server for my zone
};
};
![Page 60: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/60.jpg)
ICAT Metabase
![Page 61: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/61.jpg)
ICAT Metabase
![Page 62: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/62.jpg)
ICAT Metabase
![Page 63: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/63.jpg)
SMNP• Smnp FILES• /usr/sbin/snmpd• /usr/sbin/snmpdm• /usr/sbin/mib2agt• /usr/sbin/hp_unixagt• /usr/sbin/trapdestagt• /etc/SnmpAgent.d/snmpd.conf• /var/adm/snmpd.log• /opt/OV/snmp_mibs/• /sbin/SnmpAgtStart.d/
![Page 64: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/64.jpg)
SMNPsnmpwalk 10.10.2.1 publicsystem.sysDescr.0 = HP-UX Alice B.11.00 E 9000/889
system.sysObjectID.0 = OID: enterprises.11.2.3.2.3
system.sysUpTime.0 = Timeticks: (1062137248) 122 days, 22:22:52.48
system.sysContact.0 =
system.sysName.0 = tinker
system.sysLocation.0 =
system.sysServices.0 = 72
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 3
at.atTable.atEntry.atIfIndex.1.1.170.199.6.1 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.5 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.9 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.30 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.43 = 1
![Page 65: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/65.jpg)
Registry Bind, SMNP, HTTP
# telnet 10.10.2.1 80
Trying...
Connected to 10.10.2.1.
Escape character is '^]'.
GET / HTTP/1.0
GET / HTTP/1.1HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 21:24:56 GMT
Server: HP Apache-based Web Server/1.3.26 (Unix)
Last-Modified: Thu, 20 Mar 2003 19:57:37 GMT
ETag: "ae3-116e-3e7a1d31"
Accept-Ranges: bytes
![Page 66: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/66.jpg)
Registry Bind, SMNP, HTTP
Content-Length: 4462
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Startup Page for HP Apache-based Web Server on HP-UX</TITLE>
<style type="text/css">
<!--
BODY {
font-family: Verdana, Helvetica, Arial, Sans-serif;
}
H1 {
font-family: Verdana, Helvetica, Arial, Sans-serif;
font-size:24pt;
}
-->
</style>
![Page 67: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/67.jpg)
Remote Access• Rservices• telnet• ssh• /var/log/secure
– cat and grep for in.telnet, rlogin, etc– find /var/log/ -name secure* -exec cat {} \; >/tmp/sec.log.atxt
• rpcinfo -p– prints information if rpc is running
![Page 68: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/68.jpg)
Scheduled Tasks
• Cron– Crontab -l1 2 3 4 5
21 14 * * 2 /path/to/whatever/bin/sh/etc/2run
1 2 3 4MINUTE(0-59) HOUR(0-23) DAYOFMONTH(1-31) MONTHOFYEAR(1-12)
5DAYOFWEEK(0-6) Note 0 = Sun
2 = Tue
4 = Thr
6 = Sat
![Page 69: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/69.jpg)
System Info
• dmesg• prtconf -v (Solaris) • ioscan (HP)
![Page 70: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/70.jpg)
System Infodmesg
Variable size pages used to map 1000 graf pages at f7000000
NOTICE: nfs3_link(): File system was registered at index 3.
NOTICE: autofs_link(): File system was registered at index 6.
NOTICE: cachefs_link(): File system was registered at index 7.
8 ccio
8/4 c720
8/4.2 tgt
8/4.2.0 stape
8/4.7.0 sctl
8/4.15.0 sdisk
8/8 c720
8/8.7 tgt
8/8.7.0 sctl
8/16 bus_adapter
![Page 71: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/71.jpg)
System Infoioscan
![Page 72: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/72.jpg)
Services• /etc/services• /etc/inetd
–super daemon1. checks the incoming port,
2. consults /etc/services to get the service name,
3. reads its configuration file, /etc/inetd.conf to determine what program to start to handle the incoming connection
![Page 73: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/73.jpg)
Services• /etc/services<official service name> <port number/protocol name> <aliases>
ftp-data 20/tcp # File Transfer Protocol (Data)
ftp 21/tcp # File Transfer Protocol (Control)
telnet 23/tcp # Virtual Terminal Protocol
smtp 25/tcp # Simple Mail Transfer Protocol
time 37/tcp timeserver # Time
time 37/udp timeserver #
rlp 39/udp resource # Resource Location Protocol
whois 43/tcp nicname # Who Is
![Page 74: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/74.jpg)
Services● /etc/inetd.conf
# A line in the configuration file has the following fields separated by tabs and/or spaces:
# service name as in /etc/services
# socket type either "stream" or "dgram"
# protocol as in /etc/protocols
# wait/nowait only applies to datagram sockets, stream
# sockets should specify nowait
# user name of user as whom the server should run
# server program absolute pathname for the server inetd will
# execute
# server program args. arguments server program uses as they normally
# are starting with argv[0] which is the name of
# the server.
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l (Causes each FTP session to be logged in the syslog file.)
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
![Page 75: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/75.jpg)
Shares
• nis (Network Information Service)
Formerly YP (Yellow Pages)
• nfs (Network File System)
![Page 76: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/76.jpg)
NFS Server
• Daemonsmountd, nfsd, statd, nfslogd
• Files/etc/dfs/dfstab list of all local filesystems automatically shared
/etc/dfs/rmtab table of nfs file systems mounted by clients
/etc/dfs/nfslog.confdefines path, filenames & logging options
• Commandsshare, unshare, dfshares, dfmounts (all show share in use information)
![Page 77: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/77.jpg)
NFS Security
• In general● Only run NFS as needed, apply latest patches ● Careful use of /etc/exports (or /etc/dfs/dfstab for
SUN) ● Read-only if possible ● No suid if possible ● Fully qualified hostnames
![Page 78: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/78.jpg)
NFS Client• Daemons (look for them)
statd, lockd
• Files (review)
/etc/vfstab/etc/mnttab/etc/dfs/fstypes
• Commandsdfsharesdfsmounts
![Page 79: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/79.jpg)
NIS
• If you do NOT use NIS or NIS+, make your system a HP-UX trusted system for easier system security
![Page 80: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/80.jpg)
NIS
Daemon Function
ypserv Server process
ypwhich Lists name of the NIS server (client)
ypcat -x Displays the contents of an NIS map (client)
![Page 81: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/81.jpg)
NISWhat's exported
# ypwhichypwhich the NIS domain name hasn't been set on this machine
# exportfs -v (HP shows all exported)
nothing exported
![Page 82: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/82.jpg)
NIS
# ypwhich
![Page 83: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/83.jpg)
NIS
# exportfs -v
![Page 84: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/84.jpg)
NIS
# ypcat -x or ypwhich -x
Use "passwd" for map "passwd.byname"
Use "group" for map "group.byname"
Use "networks" for map "networks.byaddr"
Use "hosts" for map "hosts.byaddr"
Use "protocols" for map "protocols.bynumber"
Use "services" for map "services.byname"
Use "aliases" for map "mail.aliases"
Use "ethers" for map "ethers.byname"
![Page 85: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/85.jpg)
NIS• HP cat /var/yp/secureservers -defines trusted NIS servers
255.255.255.255 192.1.1.1 -only one server
255.255.0.0 128.1.0.0 -any server from the 128.1
subnet
• HP cat /var/yp/securenets -defines trusted NIS clients
255.255.255.255 192.1.1.2 -only one client
255.255.0.0 128.1.0.0 -any client from the 128.1 subnet
![Page 86: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/86.jpg)
Trusts• /etc/hosts.equiv
– non-root access request:
if host exists -> /etc/passwd
if account exists -> you're in! (no password challenge)
• .rhosts– Root accesss request
.rhosts checked if host exists -> you're in! no jacket required!
• /etc/ftpusersif they're in here, they are restricted
root, uucp, adm, lp, smtp, bin, nobody etc all good candidates!
![Page 87: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/87.jpg)
TrustsTCP Wrappers only
TCP Wrappers inserts itself into the middle of the relationship and acts as the server until the client/host is authenticated
• /etc/hosts.deny (ALL:ALL)Hosts that will be denied access
• /etc/hosts.allow (only trusted hosts!)
Hosts that will be permitted access
![Page 88: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/88.jpg)
Trusts• /usr/adm/sulog
– see who has been switching users
• /var/log/messages– see who has been switching user
• find / -nouser -print -o -nogroup -print
• find / -user root -perm -004000 -print• find / -xdev -perm -004000 -exec ls -l {} \;• find / -name .rhosts -exec cat {}\; >audit.rh• find / -name .netrc
![Page 89: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/89.jpg)
Users & Groups• /etc/passwd
rights on the file• if I can change my UID to 0, I'm root
-rw-r--r-- 1 root root 683 Jan 29 07:19 /etc/passwd
contents of the fileusername:passwd:uid:gid:comments:directory:shellroot:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
• Shadow passwords or trusted system in use?
![Page 90: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/90.jpg)
Shadow Passwords• Solaris, Linux
–/etc/shadow• HPUX
–/tcb/files/auth
![Page 91: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/91.jpg)
Shadow Passwordsusername:password:Date of last changeDate of last change (# days since 01/01/1970):
minimum days between changes:
maximum # days between changes:
# days warning in advance of change:
# days after required change before disabled:
account expire date :reserved and empty
root:$1$RY7BRRo9$vbJX3mu0ESeUAhlfYYupk1: 12081:0:99999:7:-1:134539236
bin:**:11926:0:99999:7:::
daemon:*:11926:0:99999:7:::
adm::11926:0:99999:7:::
![Page 92: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/92.jpg)
Users & Groups
• /etc/groupsrights on the file• if I can change my GID to 0, I've got root
-rw-r--r-- 1 root root 455 Jan 29 07:19 /etc/group
contents of the filegroup_name:password:group_id:listroot:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
![Page 93: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/93.jpg)
Putting it all together
• Script to run commands and dump output to /tmp
• tar all of the output files and transfer via network to your laptop
• use Cygwin to evaluate the output files!
![Page 94: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/94.jpg)
Putting it all together
• Grep• Telnet• Cat• Find
![Page 95: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/95.jpg)
Putting it all together
last >/tmp/last.atxtroot tty1 Sun Mar 16 12:22 still logged in
reboot system boot 2.2.14-5.0 Sun Mar 16 12:21 (05:51)
root tty1 Sat Mar 15 14:20 - down (07:12)
root pts/1 :0 Sat Mar 15 14:14 - 14:14 (00:00)
root pts/1 :0 Sat Mar 15 13:07 - 13:07 (00:00)
root pts/0 :0 Sat Mar 15 12:27 - 14:14 (01:46)
root tty1 Sat Mar 15 12:01 - 14:19 (02:18)
reboot system boot 2.2.14-5.0 Sat Mar 15 11:58 (09:34)
root tty1 Thu Mar 13 06:32 - down (08:10)
root tty1 Thu Mar 13 06:29 - 06:32 (00:02)
reboot system boot 2.2.14-5.0 Thu Mar 13 06:24 (08:19)
root tty1 Tue Mar 11 07:11 - down (02:17)
reboot system boot 2.2.14-5.0 Tue Mar 11 07:10 (02:18)
root tty1 Sun Mar 9 18:12 - down (00:49)
reboot system boot 2.2.14-5.0 Sun Mar 9 18:09 (00:51)
![Page 96: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/96.jpg)
Putting it all together
• grep -a -i -f grep.txt target.txt -a = process the target file as text –i=ignore case –f=use input file grep.txt=name of input file target.txt= file being “grepped”
Cygwin note:
If you are using Cygwin, you can create the input file in a Windows editor (i.e. Notepad) but before using it to grep you must convert it to a unix file by using the ‘dos2unix’ command (dos2unix filename).
i.e. dos2unix grep.txt will convert the dos text file grep.txt to unix text. The differences between the two are not great, but they are large enough to prevent grep from understanding the input file if you don’t convert it first!
![Page 97: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/97.jpg)
Putting it all togethertalk
name
finger
uucp
mouse
tftp
shell
login
exec
comsat
systat
netstat
admind
![Page 98: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/98.jpg)
Putting it all together
$ grep -a -i -f grep.txt target.txt
systat 11/tcp users # Active Users
whois 43/tcp nicname # Who Is
tftp 69/udp # Trivial File Transfer Protocol
finger 79/tcp # Finger
hostnames 101/tcp hostname # NIC Host Name Server
uucp-path 117/tcp # UUCP Path Service
netbios_ns 137/tcp # NetBIOS Name Service
exec 512/tcp # remote execution, passwd required
login 513/tcp # remote login
shell 514/tcp cmd # remote command, no passwd used
talk 517/udp # conversation
ntalk 518/udp # new talk, conversation
![Page 99: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/99.jpg)
Putting it all togethergrep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt
grep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt |sort -u
grep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt |sort -u >sorted.txt; grep -A1 -f sorted.txt april_users.txt
![Page 100: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/100.jpg)
Putting it all togethertar –cvf audit.tar /tmp/*atxt
![Page 101: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/101.jpg)
Putting it all together• The following slides are a list of commands I use to audit Unix systems.• This list is not “all encompassing”, well organized, 100% accurate, or 100%
complete. • Use at your own risk, no warranty expressed or implied. Void where prohibited.• This list can be a place to start your own research.• The goal is to place the output of these simple commands into the /tmp directory, tar
them up and then transfer them back to the auditor’s workstation for analysis.
Good luck and enjoy!
![Page 102: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/102.jpg)
Putting it all together"the usual suspects" “the usual reasons”
ls /etc/sam/custom/login-name.cf #config file that sets user’s rights for sam
bdf >/tmp/bdf.atxt show mounts
cat /etc/passwd |sort >/tmp/passwd.atxt users and passwd info
cat /etc/group |sort >/tmp/groups.atxt group list and members
cat /etc/shadow |sort >/tmp/shadow.atxt users and passwd info
cat /etc/services >/tmp/services.atxt list content of services file
cat /etc/aliases >/tmp/aliases.atxt system mail aliases
cat /etc/default/useradd >/tmp/useradd.atxt show useradd template params
cat /etc/dfs/dfstab >/tmp/dfstab.atxt list mount points
cat /etc/fstab >/tmp/fstab.atxt list mount points
cat /etc/exports >tmp/exports.atxt look for nfs (errors can be a good thing!)
cat /etc/ftpd/ftpusers |sort >/tmp/ftpusers.atxt restricted ftp users
cat /etc/ftpusers |sort >/tmp/ftpusers.atxt restricted ftp users
cat /etc/host.equiv >/tmp/host.equiv.atxt show priveleged hosts
cat /etc/hosts >/tmp/hosts.atxt show hosts resolve
cat /etc/inetd.conf >/tmp/ined.conf.atxt show the configuration file for inetd
cat /etc/xinetd.d/inetd.conf >/tmp/ined.conf.atxt show the configuration file for inetd
cat /etc/inittab >/tmp/inittab.atxt show initialization tab
cat /etc/nsswitch.conf >/tmp/nsswitch.atxt display name resolution order
cat /etc/pam >/tmp/pam.atxt Pluggable Authentication Modules
cat /etc/pam.conf >/tmp/pamconf.atxt Display Pam Settings
cat /etc/PATH >/tmp/path.atxt display path
echo $PATH >/tmp/path.atxt display path
cat /etc/profile >/tmp/profile.atxt show profiles
cat /etc/rc.config >/tmp/rcconfig.atxt show rc config
* omit everything to the right of “>” for output to screen
![Page 103: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/103.jpg)
Putting it all together"the usual suspects" “the usual reasons”
cat /etc/rhosts >/tmp/rhosts.atxt show hosts able to connect remote
cat /etc/rpc >/tmp/rpc.atxt RPC program number database
cat /etc/shadow >/tmp/shadow.atxt shadow password
cat /etc/uucp/Devices >/tmp/uucp_devices.atxt look for uucp devices
cat /etc/uucp/Dialers >/tmp/uucp_dialers.atxt check for modems
cat /usr/lib/uucp/Devices >/tmp/uucp_devices.atxt list of uucp devices
cat /usr/lib/uucp/Dialers >/tmp/uucp_dialers.atxt check for modem phone numbers
cat /usr/lib/uucp/Systems >/tmp/uucp_systems.atxt list of uucp systems
crontab -l >/tmp/crons.atxt list contents of the crontab
df -h >/tmp/df.atxt disk space
df -k >/tmp/dfk.atxt show disk space
# df -k >/tmp/x.atxt show disk space
env >/tmp/env.atxt display environment
exportfs >/tmp/exportfs.atxt list currently exported files and directories
last >/tmp/last.atxt last logins
lastb >/tmp/last.bad.atxt last bad logins
ls /etc/rc/rc.3 >/tmp/rc3.atxt Show what is turned on/off for this runlevel
ls /etc/rc/rc.5 >/tmp/rc5.atxt Show what is turned on/off for this runlevel
ls -l /etc/exports >/tmp/exports.atxt show permissions on /etc/exports
ls -l -R /tcb/files/auth >/tmp/hp_trusted.atxt show trusted systems “shadow file”
ls -l -R >/tmp/filesys.atxt rights on the (ugh) filesystem
mount >/tmp/mountpts.atxt show drive mount points
* omit everything to the right of “>” for output to screen
![Page 104: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/104.jpg)
Putting it all together"the usual suspects" “the usual reasons”
cat /etc/rc.config.d/netconf >/tmp/netconf.atxt config values for core networking subsystems
cat /etc/rc.config.d/netconf /etc/rc.config.d/auditing >> >/tmp/rc_configd.atxt #gets the rest
cat /etc/resolv.conf >/tmp/resolvconf.atxt # defines the domain the system belongs to and the name server the client will use.
cat /etc/uucp/Systems >/tmp/uucp_systems.atxt “Unix-to-Unix copy”. Lists and describes remote systems accessible
to a local system using the Basic Networking Utilities "
cat /var/adm/inetd.sec >/tmp/inetd_sec.atxt "# The lines in the file contain a service name permission field
and the Internet addresses or names of the hosts and/or networksallowed to use that service in the local machine.
cat for /etc/securetty >/tmp/.atxt "file with contents “console” if exists then root can only login from console all others must remote
login as themselves and then su."
find / \( -perm -0200 -o -perm -0400 \) -ls >/tmp/uid.atxt look for setuid or guid
find / -name .profile - >/tmp/x.atxt show profile file (get cshell and korn shell too!)
find / -name .rhost -exec cat {} \; >rhosts.txt >/tmp/rhosts.atxt rhost search
find / -perm -2000 -exec ls -al {} \; >/tmp/2000.atxt find permissions on files
find / -perm -4000 -exec ls -al {} \; >/tmp/4000.atxt find permissions on files
find /etc/rc.config.d/*conf* -exec cat {} \; >rc.configd.txt >/tmp/rc.config.atxt displays the config files from /rc.config.d/
find etc/rc.config.d/*config* -exec cat {} \; > config.txt >/tmp/hp_rc.config.d.atxt #list contents of the config files
find etc/rc.config.d/audit* -exec cat {} \; > config.txt >/tmp/hp_rc.audit.atxt list contents of the auditing cofig
xxx.xxx.xxx.xxx
ypwhich Lists name of the NIS server and nickname translation table
ypcat -x Displays the contents of an NIS map.
exportfs -v >/tmp/exportfs.atxt Print each directory or file name as it is exported or unexported
share >/tmp/share.atxt Print each directory or file name as it is exported or unexported
cat /etc/hosts.allow Lists machines that the host will accept a connection coming in
from (IP address)
cat /etc/hosts.deny Lists machines that the host will NOT accept a connection coming in
from (IP address)
find / -name snmpd.conf -exec grep -l public {} \; find snmpd config files where default password of public may exit
* omit everything to the right of “>” for output to screen
![Page 105: Creating, Using and Justifying the Auditor's Toolkit Welcome General announcements](https://reader031.vdocuments.mx/reader031/viewer/2022012918/56649e7c5503460f94b7e413/html5/thumbnails/105.jpg)
Putting it all together"the usual suspects" “the usual reasons”
netstat -a >/tmp/netstata.atxt all sockets
netstat -in >/tmp/netstatin.atxt show interface info
netstat -rv >/tmp/netstatrv.atxt route table
nfs configs >/tmp/x.atxt Solaris package manager
Pkginfo >/tmp/pkginfo.atxt solaris look for installed packages
ps -aef >/tmp/psaef.atxt show those processes
ps -aux >/tmp/psaux.atxt more processes
rpm -qa >installed.pkgs.txt >/tmp/rpms.atxt Linux display installed pkgs
showmount -e >/tmp/ex_mntpts.atxt show exported mount points
swlist -l fileset >/tmp/hp_pkgs.atxt hp look for installed pkgs
tail -300 /sr/adm/sulog >/tmp/sulog.atxt last 300 lines of su log
uname -a >/tmp/uname.atxt id the system
rpcinfo >/tmp/x.atxt Show rpc services running (portmapper dump) on
cat /etc/printcap.local This file used to specify custom edited printers
ioscan list hardware config
umask display current umask settings
* omit everything to the right of “>” for output to screen
Some useful URLs:
ICAT Metabase and Secunia http://icat.nist.gov/icat.cfm and www.secunia.com
Common Vulnerabilities and Exposures http://cve.mitre.org/
Rosetta Stone for Unix http://bhami.com/rosetta.html
RPC port info http://www.iss.net/security_center/advice/Exploits/Ports/RPC/default.htm