12.3. Testing the Configuration

12.3. Testing the Configuration

I have presented quite a few system configuration rules, and it is difficult if not impossible to remember all of them. System configuration is a complex process, and it is easy to set some wrong settings. But the configuration rules make it possible to automate the testing process.

There are many utilities for automated configuration checking. Some of them are outdated ; others are more recent and check a limited number of parameters.

The LSAT Utility

The first automated configuration-checking utility I will consider is the Linux Security Auditing Tool (LSAT). It does not have a long track record, but its capabilities have been expanded by frequent updates and the modular architecture makes extending capabilities an easy and rapid process.

The LSAT program comes as the source code, and can be downloaded from http://usat. sourceforge .net . When this book was written, version 0.9.2 of the program was available. Both TGZ and ZIP archives are available. I recommend the former, because the TGZ format is native to Linux and is easier to install.

The program is installed by executing the following sequence of commands:

 tar xzvf lsat-0.9.2.tgz ./lsat-0.9.2.tgz/configure ./lsat-0.9.2.tgz/make 

The first command unpacks the archive. Your file name can be different depending on which version of the program you download. The second command starts configuration, and the last one builds one executable file from the source code.

The program is launched by the following command:

 ./lsat-0.9.2.tgz/lsat 

Now you can brew a pot of coffee and have a few cups of it. The checking process is quite lengthy, especially on older machines. The utility can be run with one of the following options:

  • -o <filename> Specifies the file, into which to place the report. The default report file is lsat.out.

  • -v Produce a verbose report.

  • -s Specifies the silent mode, which is convenient when running the utility with the cron service.

  • -r Specifies to check RPM integrity. This option is valid for the Red Hat or Mandrake distributions only. The option is used to verify the distribution package validity.

The LSAT utility is optimized for running Red Hat systems because it has a built-in feature for working with a database or RPM packages, which are a distinctive feature of Red Hat Linux and its clones .

When the utility is running, the check it displays messages like the following:

 Starting LSAT... Getting system information...  Running modules...  Running checkpkgs module...  ...  ...  Running checkx module...  Running checkftp module... Finished. Check lsat.out for details. Don't forget to check your umask or file perms when modifying files on the system. 

These messages provide no security information and only inform you which modules are being checked. The scanning results are saved to the ./lsat.out file. I ran the utility on my system right after a fresh install and it packed 190 KB of information into this file. That's plenty of information to pore over and get to know your system better.

There are many recommendations in the output file. At the beginning, there are recommendations about which packages should be deleted, as in the following:

 **************************************** Please consider removing these packages. sendmail-8.11.6-15.asp portmap-4.0-41 bind-utils-9.2.1-1.asp nfs-utils-0.3.3-5 pidentd-3.0.14-5 sendmail-devel-8.11.6-15.asp sendmail-cf-8.11.6-15.asp ypbind-1.10-7 ypbind-1.10-7 

Indeed, some packages are not reliable. For example, bugs are constantly discovered in the sendmail program; therefore, LSAT suggests removing this program.

There was the following comment in the output file that I especially liked :

 default init level is not set to 5. Good. 

The utility's developer reckoned that graphical operation mode is less secure. Indeed, running a graphics shell means running additional programs, and you already know that any additional program is an extra chance for something to go wrong. The text mode uses less memory, requires fewer resources, and runs fewer programs, which means that it is a faster and more secure.

Further down the output file listing, there is a list of all SUID and SGID files in the system.

Still further, there is a list of files accessible to everyone:

 **************************************** This is a list of world writable files /var/lib/texmf/ls-R /var/www/html/cache/archive/index.html /var/www/html/cache/categories/category.cgi /var/www/html/cache/categories/index,html /var/www/html/cache/download/download-2-1.cgi /var/www/html/cache/download/download-3-1.cgi /var/www/html/cache/download/download-4-1.cgi 

Any user, even the one with the humblest access rights, can modify these files. Right below this list, there is a list of files, to which users of any groups can write. Check whether all of these files should be available for writing to all users. Ideally, there should be no such files. Any file should be accessible for writing for its owner only, or for a user of the owner group at the worst, but in no case should they be writeable for everyone.

The output file is in a convenient and easy-to-read format; at the end, however, there is a fly in the ointment. Perhaps, it's more of a mosquito than a fly: The report section on the modifications in the file system detected since the previous check is difficult to understand. All changes are heaped into one pile without differentiating , which are serious and which are unimportant. For example, deleting or adding files to the /tmp directory is not that important from the security standpoint, because this is done constantly in this directory. Changes in the /etc directory are much more important to security and ought to have been set off.

The Bastille Utility

The Bastille project ( http://bastille-linux.sourceforge.net ) was created by Linux security specialists and has been around for a long time. The developers also intended to write a more secure version of the operating system, but it seems like they overestimated their capabilities for this task. It's a pity, because the Bastille utility is an excellent security product.

The program checks the system for potential vulnerabilities and creates a report of what it finds. The utility can also automatically fix the discovered vulnerabilities.

The program is so intuitive and easy to use that I will not even consider this aspect. Unlike similar programs, Bastille can work in both the text and the graphical modes. The program can be either installed from an RPM archive or compiled from the source code.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net