Subject: Re: Daily Insecurity output
To: Brad Salai <bsalai@tmonline.com>
From: Rob Windsor <windsor@warthog.com>
List: netbsd-users
Date: 07/04/1997 11:38:01
Verily did Brad Salai write:

> I'm starting to pay attention to the daily insecurity output. I've deleted
> most of the bogus users from passwd, but there are a few other things that
> show up every day.
> Are any of these causes for concern, and if so, what is the best way to
> address them?

follow along..

> -------
> Checking root csh paths, umask values:
> /etc/csh.cshrc /etc/csh.login /root/.cshrc /root/.login

> Root csh startup files do not set the umask.

> Checking root sh paths, umask values:
> /root/.profile

> Root sh startup files do not set the umask.

echo "umask 0022" >> /root/.profile
echo "umask 0022" >> /root/.login

> -------
> Checking special files and directories.
> dev/fd: user (0, 3)
> 	gid (0, 7)
> 	permissions (0755, 0555)
> etc/mtree/special:
> 	user (0, 100)
> 	gid (0, 100)
> etc/csh.cshrc:
> 	user (0, 100)
> 	gid (0, 100)
> etc/csh.login:
> 	user (0, 100)
> 	gid (0, 100)
> etc/csh.logout:
> 	user (0, 100)
> 	gid (0, 100)
> etc/daily:
> 	user (0, 100)
> 	gid (0, 100)
> etc/ftpusers:
> 	user (0, 100)
> 	gid (0, 100)
> etc/hosts.equiv:
> 	permissions (0600, 0644)
> etc/monthly:
> 	user (0, 100)
> 	gid (0, 100)
> etc/netstart:
> 	permissions (0744, 0644)
> etc/sendmail.cf:
> 	permissions (0644, 0444)
> etc/weekly:
> 	user (0, 100)
> 	gid (0, 100)
> etc/named.boot:
> 	type (file, link)
> 	permissions (0644, 0755)
> root/.klogin:
> 	permissions (0600, 0644)
> usr/games/hide:
> 	gid (0, 13)
> usr/src:
> 	permissions (0775, 0755)
> var/at: gid (1, 0)
> var/log/authlog:
> 	permissions (0600, 0644)
> var/mail:
> 	permissions (0755, 0757)
> -----

> missing: ./etc/crontab
> missing: ./etc/exports
> missing: ./root/.rhosts
> missing: ./var/account/acct
> missing: ./var/spool/ftp/bin/ls
> missing: ./var/spool/ftp/etc/group
> missing: ./var/spool/ftp/etc/localtime
> missing: ./var/spool/ftp/etc/master.passwd
> missing: ./var/spool/ftp/etc/passwd
> missing: ./var/spool/ftp/pub
> missing: ./var/spool/news

Take a look at each of the file specified above and verify that the
permissions are what you would like for them to be.  Change those
that you know need to be changed.  If you have any question, go ahead
and change them to reflect what the above report says.

The data is always given as (should, current), where `should' is what
/etc/mtree/special indicates what the properties of that file/directory
should be, and `current' is what the current state of that file is (at the
time of the security audit).

The `missing:' lines are easily fixed by making slight changes to
/etc/mtree/special.  You can append the keyword "optional" to the line
specifying the file/directory in question.

For example, root/.rhosts is silly, the fact that it doesn't exist is a
_good_ thing.  Here's what I have:

    (r) kenku:/etc/mtree#grep .rhosts special
    .rhosts         type=file mode=0600 uname=root gname=wheel optional

Other things such as /var/ftp/ - commenting these out may be the easy way
of handling them, just be diligent in finding accompanying `..' definitions.

You may find it easier to spread the work out over several days.. using
one day to change file/directory permissions, and using the next day to
alter the mtree datafile.  Each day, you use the report that was generated
the night before.  If you don't have the patience, you can manually run
mtree as per the security script:

        mtree -e -p / -f /etc/mtree/special > /tmp/foo

("man mtree" for more information about the options)

If you wish, I can send you my /etc/mtree/special.  You'll have to make
some minor adjustments, but it's basically "corrected stock".

-- Rob
----------------------------------------
Internet: windsor@warthog.com
Life: Rob@Carrollton.Texas.USA.Earth

The weather is here, wish you were beautiful.