Running a Security Audit (Building Internet Firewalls, 2nd Edition)

11.6. Running a Security Audit

Several very good automated auditing packages are freely available on the Internet. The four most commonly used are these:

COPS: The Computer Oracle and Password System, developed by Dan Farmer and Gene Spafford
SATAN: Security Administrator's Tool for Analyzing Networks (also known as SANTA), developed by Dan Farmer and Wietse Venema
Tiger: Developed as part of the TAMU package by Texas A&M University
Tripwire: Developed by Gene H. Kim and Gene Spafford

COPS and Tiger both check for well-known security holes on the host they are run on. There is significant overlap in what COPS and Tiger check; however, they're both free, so it's a good idea to obtain and run both of them to get the best possible coverage. Tripwire is a filesystem integrity checker. It is strictly a tool for dealing with checksum databases; it is much better at this than either COPS or Tiger (which both have basic checksum database capabilities) but has no ability to check for well-known security holes. SATAN is a network-based application which tests hosts other than the one it is running on. These packages are independent of each other; there's nothing to prevent you from using all of them in combination on your bastion host, and that would probably be a good idea. Appendix B, "Tools", gives you information on how to get all four packages.

Because the well-known security holes tend to be somewhat operating system-specific, the effectiveness of the packages that check for these security holes is very dependent on which operating system you have, and which version of the operating system it is. If it's an operating system and version the package knows about, that's great. If it isn't, then the package has to grope around blindly, trying to guess what holes might exist. (Fortunately, attackers will usually have the same problem, if not to the same extent.) In some cases, packages will report holes that don't exist when they're run on unfamiliar systems.

Commercial packages that perform similar functions are now available. In general, the security scanning products are similar to PC virus software in that they require periodic updates in order to keep up with the latest vulnerabilities.

When you are doing security audits, you should be sure to use an appropriate checksum program. The standard Unix checksum programs (/bin/sum, for example) use a 16-bit cyclic redundancy check (CRC) algorithm that is designed to catch a sequence of random bit errors during data transfers. This does not work for detecting unauthorized changes to files because it is possible to reverse the CRC algorithm. This is known to attackers, and they have programs that manipulate the unused bytes in a file (particularly an executable binary file) to make the checksum for that file come out to whatever they want it to be. They can make a modified copy of /bin/login that produces the same checksum, and sum will not be able to detect any difference.

For real security, you need to use a "cryptographic" checksum algorithm like MD5 or Snefru; these algorithms produce larger and less predictable checksums that are much more difficult to spoof. The COPS, Tiger, and Tripwire auditing packages mentioned earlier all include and use such algorithms in place of the normal Unix checksum programs.

The IRIX operating system from Silicon Graphics uses a process called re-quickstarting (RQS) to precalculate data needed for loading binaries and to speed up start time. RQS is run automatically as a part of most installations and can update every system binary. This should not be a problem on a bastion host, where software should not be installed regularly in any case. However, you should be aware that small installations may have wide-ranging effects and will require the recalculation of all checksums.