11.6. Running a Security AuditSeveral very good automated auditing packages are freely available on the Internet. The four most commonly used are these:
Because the well-known security holes tend to be somewhat operating system-specific, the effectiveness of the packages that check for these security holes is very dependent on which operating system you have, and which version of the operating system it is. If it's an operating system and version the package knows about, that's great. If it isn't, then the package has to grope around blindly, trying to guess what holes might exist. (Fortunately, attackers will usually have the same problem, if not to the same extent.) In some cases, packages will report holes that don't exist when they're run on unfamiliar systems.
Commercial packages that perform similar functions are now available. In general, the security scanning products are similar to PC virus software in that they require periodic updates in order to keep up with the latest vulnerabilities.
When you are doing security audits, you should be sure to use an appropriate checksum program. The standard Unix checksum programs (/bin/sum, for example) use a 16-bit cyclic redundancy check (CRC) algorithm that is designed to catch a sequence of random bit errors during data transfers. This does not work for detecting unauthorized changes to files because it is possible to reverse the CRC algorithm. This is known to attackers, and they have programs that manipulate the unused bytes in a file (particularly an executable binary file) to make the checksum for that file come out to whatever they want it to be. They can make a modified copy of /bin/login that produces the same checksum, and sum will not be able to detect any difference.
For real security, you need to use a "cryptographic" checksum algorithm like MD5 or Snefru; these algorithms produce larger and less predictable checksums that are much more difficult to spoof. The COPS, Tiger, and Tripwire auditing packages mentioned earlier all include and use such algorithms in place of the normal Unix checksum programs.
The IRIX operating system from Silicon Graphics uses a process called re-quickstarting (RQS) to precalculate data needed for loading binaries and to speed up start time. RQS is run automatically as a part of most installations and can update every system binary. This should not be a problem on a bastion host, where software should not be installed regularly in any case. However, you should be aware that small installations may have wide-ranging effects and will require the recalculation of all checksums.
Copyright © 2002 O'Reilly & Associates. All rights reserved.