Available from: ftp://coast.cs.purdue.edu/pub/tools/unix/cops/1.04/
Description - excerpts from COPS.report
"vital" system files and directories to see if they have dangerous permissions (usually either world-writable, or world-readable.) Files and directories thought to be critical are in a configuration file is_able.lst. Wildcards are useable like in UNIX; indeed, COPS passes everything to the shell for expansion.
Check devices for file systems to see if they are world-readable/writable, plus check for any exported NFS file systems with no restrictions. The file systems are normally found in /etc/fstab.
Check all files in system for SUID status, notify- ing the COPS user of any changes in SUID status, and if any SUID files are world-writable, shell scripts, or non- executable (program) files.
Check the /etc/passwd file (and the yellow pages password database, if applicable) for null passwords, improper # of fields, non-unique user-id's, non-numeric group id's, blank lines, and non-alphanumeric user-id's.
Check the /etc/group file (and the yellow pages database, if applicable) for groups with passwords, improper # of fields, duplicate users in groups, blank lines, and non-unique group-id's.
Check passwords of users on system.
Method -- using the stock "crypt" command, compare the encrypted password found in the /etc/passwd file against the following (encrypted) guesses: the login id (uid), information in the gecos field, and all single letter passwords.
Check the root path, umask, also if root is in /etc/ftpuser and owns /bin, /etc, /etc/passwd, /.login, /.profile and /.rhosts, and finally if a "+" is in /etc/hosts.equiv.
Examine the commands in /etc/rc* to ensure that none of the files or paths used are world-writable.
Examine the commands in /usr/lib/crontab to ensure that none of the files or paths used are world-writable.
Check all of the user home directories to ensure they are not world writable.
Check important user files in user's home direc- tories to ensure they are not world writable, plus checks netrc files to see if they are readable. The files checked (all in the individual users' home directory, all with the prefix "."): rhosts profile login cshrc kshrc tcshr crhost netrc forward dbxinit distfile exrc emacsrc logout
Checks ftp setup; anononymous ftp setup, if you support it. This seems to be fairly site specific; it tries to check for correct ownership, file/directory permissions, etc.; for a complete description, check the man page for ftp.chk.
Check for unexpected file system corruption or security breaches, using CRC values that are generated from your system files, then compared against previously calcu- lated values. As the author says: "It's nice to be able to say that you know all your files are as they should be."
Checks a few miscellaneous potential security prob- lems that really don't belong anywhere else. This includes looking to see if tftp & rexecd are enabled, to check if the uudecode alias is in the mail alias file and not commented out, if uudecode is either SUID or can create SUID files, and if the programs inside the /etc/inetd.conf or /etc/servers aren't world-writable.
Given a goal to compromise, such as user root, and a list of user and group id's that can be used in an attempt to achieve the goal, this security tool will search through the system until it verifies that the goal is compromisible or not. The program that performs this tricky task is part of the U-Kuang (rhymes with "twang") system. Robert Baldwin was kind enough to allow me to include this security checker (a fine security machine in it's own right) within this dis- tribution. For more information on this fascinating secu- rity checker, see kuang.man.ms and [Baldwin 87]. I have rewritten it in Bourne shell (it was in C-Shell) for further portability; Steve Romig rewrote it in Perl for speed.
Available from: ftp://coast.cs.purdue.edu/pub/tools/unix/crack/
Description - from the crack README
Crack is a freely available program designed to find standard Unix eight-character DES encrypted passwords by standard guessing techniques outlined below. It is written to be flexible, configurable and fast, and to be able to make use of several networked hosts via the Berkeley rsh program (or similar), where possible.
Available from: ftp://coast.cs.purdue.edu/pub/COAST/Tripwire
Description - from the tripwire man page
Tripwire is a file integrity checker - a utility that compares a designated set of files and directories against information stored in a previously generated database. Added or deleted files are flagged and reported, as are any files that have changed from their previously recorded state in the database. When run against system files on a regular basis, any file changes would be spotted when Tripwire is next run, giving system administrators information to enact damage control measures immediately.
Using Tripwire, system administrators can conclude with an extremely high degree of certainty that a given set of files and directories remain untouched from unauthorized modifications, provided the program and database are appropriately protected (e.g., stored on read-only media). Note that reports of changed files indicate a change from the time of the last Tripwire database installation or update. For best effect, the files being monitored should be reinstalled from known good sources. (See the Tripwire design document for further details.)
Available from: ftp://ciac.llnl.gov/pub/ciac/sectools/unix/merlin/merlin.tar.gz
Description - from the Merlin README
Merlin is a tool for managing other tools -- it can take a powerful but cryptic command-line tool and provide it with an easy-to-use graphical interface.
Merlin comes with support for 5 popular security tool, but it can be extended to support any command-line oriented tool.
Merlin provides for the execution of tools, and the viewing, enhancment, and management of their reports.
Merlin is written almost entirely in Perl. All interface management is performed through Netscape. It requires Perl 5.001m, C, and Netscape 1.1+.
Available from: ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/
Available from: http://ciac.llnl.gov/cstc/CSTCProducts.html#spi
Last Modified: 16 April 1996
St. Louis Unix Users Group - Linux SIG