Creating, Using and Justifying the Auditor's Toolkit
description
Transcript of Creating, Using and Justifying the Auditor's Toolkit
Creating, Using and Justifying the Auditor's
Toolkit
• Welcome• General announcements
Creating, Using and Justifying the Auditor's
Toolkit
ISACA PresentationApril 2003Ed Capizzi
Schedule etc.
• Breakfast• Intro, admin & Methodology• Outside – In tools• Unix• Lunch• Windows• Hands on
Administrivia
• Location information• Pagers and cell phones• Fire escapes• Food• Start stop times• Location of restrooms• General room rules and mood
Assumptions
• Auditors have all the front end time & field work time they need
• Auditors have large budgets for tools and
training
• Auditors always get full cooperation of and
unlimited access to audit areas
• No one minds being audited
• You are already experts on everything
Real World Assumptions• You have to become an expert at
everything FAST (or at least brush up!)
• You need something you can apply now• You probably run a WinTel based machine• You probably don't have admin / root level
access (of your own) to the systems you audit
• You have to be part tech, part teacher, part politician
• Even “free, industry best practices” require
some selling
Real World Assumptions• This is one way to do things, not THE
way• Linux (for this presentation) is RedHat• Solaris (for this presentation) is 2.6• HP (for this presentation) is 11.x
Our Approach
• Learn to fish• Basics, basics, basics • Keep it simple• Inside out, Outside in• Creative use of “indigenous resources”
(utilities included in the existing OS)• Audits (& auditors) must be
“environmentally friendly and low impact”
Our Approach
1. Subsystem(s) involved
2. Best practice examples/settings
3. Ramifications of settings or principles
4. How to sell to administrators and management
5. Which tool to use to accomplish which task
15 Main Areas1) Account Policies 9) Remote Access
2) Auditing 10) Scheduled Tasks
3) Device Drivers 11) System Info
4) Drives 12) Services
5) Event Log 13) Shares
6) Printer Permissions 14) Trusted Relationships
7) Processes 15) Users & Groups
8) Registry
Account Policies
What are the tools?– admintool (gui-Solaris)
• /etc/default/passwd (sun)• /etc/passwd
– sam (gui-HP)
/etc/passwd
– userconf or redhat-config-users (gui Red Hat Linux)• /etc/passwd (linux)
What can they tell us?
Account Policies
What can they tell us*:
o login name
o encrypted password
o numerical user ID
o numerical group ID
o reserved gecos ID
o initial working directory
o program to use as shell
BUT WE WANT MORE!
Account Policies
To get more, the system has to be using: shadow passwords (Solaris / Linux)
/etc/shadow
or
“trusted system” (HP)
/tcb/files/auth/
More on this later, stay tuned...
Account Policies
Where are the files? (review)
Standard systems
/etc/default/passwd (Sun)
/etc/passwd (HP & Linux)
Shadowed or trusted systems
/etc/default/passwd (Sun)
/etc/passwd (Sun & Linux)
/tcb/files/auth/ (HP)
SAM
Sam
Sam
Linuxconf
Linuxconf
Auditing
• user logon / logoff• system restart, start up,
shutdown• object access
Auditing
Linux– /etc/syslog.conf
– /var/log/messages
Sun– /etc/syslog.conf
– /var/adm/message
HPUX– /etc/syslog.conf
– /var/adm/syslog/syslog.log
Auditing
Linux & HP
dmesg -boot diagnostics & messages
Sunprtdiag
Cool tool alert!!!
Rosetta Stone for Unix!
Rosetta Stone for Unix
Auditing
lastb
Auditing
• last
Auditing
• dmesg
Auditing• HPUX “Trusted System”
– passwords moved from /etc/passwd
– All users must have a password
– Check /etc/rc.config.d/auditing &
/sbin/rc2.d/S760auditing./etc/rc.config.
d/auditing for auditing control
parameters.
– /tcb/files/ttys
• uid of user log into terminal, logins
& unsuccessful logins.
AuditingA.K.A Setting up syslog!
Syslog.conf
• Simple text file with format ofdaemon.loglevel <Tab> log target mail.* /var/log/daemon.log
-rw------- 1 root root 702093 Mar 17 17:56 /var/log/messages
Owned by root (rw) – 'log' group (r) (if needed)– 'other' group not permissions
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
Syslog.conf (con't)
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
Syslog logging Levels
• emerg System is unusable• alert Action must be taken NOW• crit Critical conditions• err Error conditions• warning Warning conditions• notice Normal but significant• info FYI• debug More than you want to know
(Programmers only)
Syslog targets
• /path/to/file Message appended to the given file
• @loghost Sent to syslog server on 'loghost' server
• * Message written to all loged in users
• user1,user2 Message written to user1 & user2
• /dev/console Message written to named ttys
• | /path/to/name_pipeMessage written to named pipe
Device Drivers• How the system handles hard drives, keyboards or
any other peripheral attached to the system
• located in /dev
–Character Device• communicate in echoed characters
–Block Devices• communicate in 512 or 1024 blocks of
data
• Faster access
Devices
• The device type is indicated by the first character in the permission block. i.e.crw--w--w- 1 root root 4, 1 Jul 19 13:26 tty1
crw--w--w- 1 root root 4, 2 Jul 19 13:26 tty2
Major device number – identifies the device driver number
Minor device number – identifies the device number
Devices
• device permissions are important!• /dev/kmem = kernel memory• /dev/hda1 =hard disk
– access to this may allow dump of disk files bypassing /etc/passwd
• use groups and sudo
Drives• mount – to show what is mounted• df- k, df -h to see free space • etc/fstab (/etc/vfstab - Solaris) to see
file system mount point descriptions
description of /dev/dsk -vs- /dev/rdsk
Local-vs-remote
• mount• /etc/fstab• /etc/dfs/dfstab
share lists all current shares (Sun)exportfs -v lists all current shares (HP & Linux)nfsstat NFS performance statistics (HP & Sun)
Event Log
• Syslog (and /etc/syslog.conf) /var/log/messages Linux/var/adm/messages HP & Suntail and / or grep Ask if Swatch or logcheck may be running
Printer Permission
• /etc/hosts.lpd = hosts that can print – You can also put in /etc/hosts.equiv but
that opens them to use rservices too!– lpadmin (solaris) lsR -al /etc/lp
Linux– cat /etc/printcap.local
• shows all local printers• printtool (gui)
– Hpux – lpadmin• /etc/lp/*• /var/adm/lp*
Processes
• Before we begin..
Policy
Best Practices
Goals of Security
init Processinit is always process #1
(all other things that happen before this are actually
part of the kernel or kernel process)
The “system father task” that propagates all
child processes needed for operation.
Configuration file: /etc/inittab•
/etc/inittab
• Defines the default run level– id:5:initdefault:
– strt:3:initdefault:• Executes and process entries that have sysinit in the action field (so
that any special initialisation takes place before the users log in).
• Defines processes for specific run levels
– rebt:6:wait:/etc/init.d/announce restart
identifier:runlevel processed at:the action:the process
Runlevels• 0 – Shutdown or halt the system• 1 – Single user (administrative) mode• 2 – Basic Multi user mode (all daemons, no NFS)• 3 – Multi User Mode (all daemons and NFS)• 4 - Reserved• 5 – Reboot the system (passing through runlevel 0)• S or s – single user mode all file systems mounted
and accessible• 6 Shut down the machine /reboot
Run Levels con'tHow do I display the current runlevel?• HP & Solaris
– # who -r
• run-level 3 Feb 28 10:55 3 0 S• current run level date and time of run level change current
run level number of times at this run level since last reboot
previous run level
• Linux– # /sbin/runlevel
• N 5 or 3 5 (none before and now 5 or 3 before and 5 now)
rc scriptsRun Control Scripts exist for each run
level
Scripts start and/or stop all processes needed to put
system into appropriate Run Level
S start, K kill (stop)
• processed sequentially 0-99
Solaris rc scriptsRun Control Scripts exist for each run level
• /sbin/rc– directory for each script
• /sbin/rc3 -> /etc/rc3.d/
– S15nfs.server
Linux rc scriptsRun Control Scripts exist for each run level
• /etc/rc.d/rc.local
• /etc/rc.d/rc#– directory for each script
• /etc/rc.d/rc3
– K20nfs
rc scriptsRun Control Scripts exist for each run
level
HP rc scriptsRun Control Scripts exist for each run level
• /sbin/rc#.d– directory for each script
• /sbin/rc3.d/
K20nfs
Processes• ps -aef• ps -aux• inet.d
/etc/inetd.conf• how to start, & stop
/etc/init.d/name start or stop, restart
• /proc directory cd /proc/proc#; ls
Processes• ps -aef
Processes• ps -aux
Processes• inet.d
/etc/inetd.conf
Processes (TOP)
Processes• /etc/services
–read by inet.dnetstat 15/tcp
qotd 17/tcp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp 21/tcp
fsp 21/udp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
Registry Bind, SMNP, HTTP
• Bind• Snmp• HTTP
Registry Bind, SMNP, HTTP
• Bind– nslookup change to that server ls -d domain name
– /etc/named.conf
Registry Bind, SMNP, HTTP
• Bind– C:\>nslookup
– Default Server: hm01.mycompany.com
– Address: 10.199.128.10
– > server 10.199.128.10
– Default Server: hm01.mycompany.com
– Address: 10.10.128.10
– > ls -d mycompany.com
– [hm01.mycompany.com]
– *** Can't list domain mycompany.com: Query refused
Registry Bind, SMNP, HTTP
• Bind– /etc/named.conf
cat /etc/named.conf |grep –i –A 10 ‘allow’
allow-transfer {
127.0.0.1; // localhost
10.0.0.2; // secondary DNS server for my zone
};
};
ICAT Metabase
ICAT Metabase
ICAT Metabase
SMNP• Smnp FILES• /usr/sbin/snmpd• /usr/sbin/snmpdm• /usr/sbin/mib2agt• /usr/sbin/hp_unixagt• /usr/sbin/trapdestagt• /etc/SnmpAgent.d/snmpd.conf• /var/adm/snmpd.log• /opt/OV/snmp_mibs/• /sbin/SnmpAgtStart.d/
SMNPsnmpwalk 10.10.2.1 publicsystem.sysDescr.0 = HP-UX Alice B.11.00 E 9000/889
system.sysObjectID.0 = OID: enterprises.11.2.3.2.3
system.sysUpTime.0 = Timeticks: (1062137248) 122 days, 22:22:52.48
system.sysContact.0 =
system.sysName.0 = tinker
system.sysLocation.0 =
system.sysServices.0 = 72
system.sysORLastChange.0 = Timeticks: (0) 0:00:00.00
interfaces.ifNumber.0 = 3
at.atTable.atEntry.atIfIndex.1.1.170.199.6.1 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.5 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.9 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.30 = 1
at.atTable.atEntry.atIfIndex.1.1.170.199.6.43 = 1
Registry Bind, SMNP, HTTP
# telnet 10.10.2.1 80
Trying...
Connected to 10.10.2.1.
Escape character is '^]'.
GET / HTTP/1.0
GET / HTTP/1.1HTTP/1.1 200 OK
Date: Thu, 17 Apr 2003 21:24:56 GMT
Server: HP Apache-based Web Server/1.3.26 (Unix)
Last-Modified: Thu, 20 Mar 2003 19:57:37 GMT
ETag: "ae3-116e-3e7a1d31"
Accept-Ranges: bytes
Registry Bind, SMNP, HTTP
Content-Length: 4462
Connection: close
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Startup Page for HP Apache-based Web Server on HP-UX</TITLE>
<style type="text/css">
<!--
BODY {
font-family: Verdana, Helvetica, Arial, Sans-serif;
}
H1 {
font-family: Verdana, Helvetica, Arial, Sans-serif;
font-size:24pt;
}
-->
</style>
Remote Access• Rservices• telnet• ssh• /var/log/secure
– cat and grep for in.telnet, rlogin, etc– find /var/log/ -name secure* -exec cat {} \; >/tmp/sec.log.atxt
• rpcinfo -p– prints information if rpc is running
Scheduled Tasks
• Cron– Crontab -l1 2 3 4 5
21 14 * * 2 /path/to/whatever/bin/sh/etc/2run
1 2 3 4MINUTE(0-59) HOUR(0-23) DAYOFMONTH(1-31) MONTHOFYEAR(1-12)
5DAYOFWEEK(0-6) Note 0 = Sun
2 = Tue
4 = Thr
6 = Sat
System Info
• dmesg• prtconf -v (Solaris) • ioscan (HP)
System Infodmesg
Variable size pages used to map 1000 graf pages at f7000000
NOTICE: nfs3_link(): File system was registered at index 3.
NOTICE: autofs_link(): File system was registered at index 6.
NOTICE: cachefs_link(): File system was registered at index 7.
8 ccio
8/4 c720
8/4.2 tgt
8/4.2.0 stape
8/4.7.0 sctl
8/4.15.0 sdisk
8/8 c720
8/8.7 tgt
8/8.7.0 sctl
8/16 bus_adapter
System Infoioscan
Services• /etc/services• /etc/inetd
–super daemon1. checks the incoming port,
2. consults /etc/services to get the service name,
3. reads its configuration file, /etc/inetd.conf to determine what program to start to handle the incoming connection
Services• /etc/services<official service name> <port number/protocol name> <aliases>
ftp-data 20/tcp # File Transfer Protocol (Data)
ftp 21/tcp # File Transfer Protocol (Control)
telnet 23/tcp # Virtual Terminal Protocol
smtp 25/tcp # Simple Mail Transfer Protocol
time 37/tcp timeserver # Time
time 37/udp timeserver #
rlp 39/udp resource # Resource Location Protocol
whois 43/tcp nicname # Who Is
Services● /etc/inetd.conf
# A line in the configuration file has the following fields separated by tabs and/or spaces:
# service name as in /etc/services
# socket type either "stream" or "dgram"
# protocol as in /etc/protocols
# wait/nowait only applies to datagram sockets, stream
# sockets should specify nowait
# user name of user as whom the server should run
# server program absolute pathname for the server inetd will
# execute
# server program args. arguments server program uses as they normally
# are starting with argv[0] which is the name of
# the server.
ftp stream tcp nowait root /usr/lbin/ftpd ftpd -l (Causes each FTP session to be logged in the syslog file.)
telnet stream tcp nowait root /usr/lbin/telnetd telnetd
Shares
• nis (Network Information Service)
Formerly YP (Yellow Pages)
• nfs (Network File System)
NFS Server
• Daemonsmountd, nfsd, statd, nfslogd
• Files/etc/dfs/dfstab list of all local filesystems automatically shared
/etc/dfs/rmtab table of nfs file systems mounted by clients
/etc/dfs/nfslog.confdefines path, filenames & logging options
• Commandsshare, unshare, dfshares, dfmounts (all show share in use information)
NFS Security
• In general● Only run NFS as needed, apply latest patches ● Careful use of /etc/exports (or /etc/dfs/dfstab for
SUN) ● Read-only if possible ● No suid if possible ● Fully qualified hostnames
NFS Client• Daemons (look for them)
statd, lockd
• Files (review)
/etc/vfstab/etc/mnttab/etc/dfs/fstypes
• Commandsdfsharesdfsmounts
NIS
• If you do NOT use NIS or NIS+, make your system a HP-UX trusted system for easier system security
NIS
Daemon Function
ypserv Server process
ypwhich Lists name of the NIS server (client)
ypcat -x Displays the contents of an NIS map (client)
NISWhat's exported
# ypwhichypwhich the NIS domain name hasn't been set on this machine
# exportfs -v (HP shows all exported)
nothing exported
NIS
# ypwhich
NIS
# exportfs -v
NIS
# ypcat -x or ypwhich -x
Use "passwd" for map "passwd.byname"
Use "group" for map "group.byname"
Use "networks" for map "networks.byaddr"
Use "hosts" for map "hosts.byaddr"
Use "protocols" for map "protocols.bynumber"
Use "services" for map "services.byname"
Use "aliases" for map "mail.aliases"
Use "ethers" for map "ethers.byname"
NIS• HP cat /var/yp/secureservers -defines trusted NIS servers
255.255.255.255 192.1.1.1 -only one server
255.255.0.0 128.1.0.0 -any server from the 128.1
subnet
• HP cat /var/yp/securenets -defines trusted NIS clients
255.255.255.255 192.1.1.2 -only one client
255.255.0.0 128.1.0.0 -any client from the 128.1 subnet
Trusts• /etc/hosts.equiv
– non-root access request:
if host exists -> /etc/passwd
if account exists -> you're in! (no password challenge)
• .rhosts– Root accesss request
.rhosts checked if host exists -> you're in! no jacket required!
• /etc/ftpusersif they're in here, they are restricted
root, uucp, adm, lp, smtp, bin, nobody etc all good candidates!
TrustsTCP Wrappers only
TCP Wrappers inserts itself into the middle of the relationship and acts as the server until the client/host is authenticated
• /etc/hosts.deny (ALL:ALL)Hosts that will be denied access
• /etc/hosts.allow (only trusted hosts!)
Hosts that will be permitted access
Trusts• /usr/adm/sulog
– see who has been switching users
• /var/log/messages– see who has been switching user
• find / -nouser -print -o -nogroup -print
• find / -user root -perm -004000 -print• find / -xdev -perm -004000 -exec ls -l {} \;• find / -name .rhosts -exec cat {}\; >audit.rh• find / -name .netrc
Users & Groups• /etc/passwd
rights on the file• if I can change my UID to 0, I'm root
-rw-r--r-- 1 root root 683 Jan 29 07:19 /etc/passwd
contents of the fileusername:passwd:uid:gid:comments:directory:shellroot:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
• Shadow passwords or trusted system in use?
Shadow Passwords• Solaris, Linux
–/etc/shadow• HPUX
–/tcb/files/auth
Shadow Passwordsusername:password:Date of last changeDate of last change (# days since 01/01/1970):
minimum days between changes:
maximum # days between changes:
# days warning in advance of change:
# days after required change before disabled:
account expire date :reserved and empty
root:$1$RY7BRRo9$vbJX3mu0ESeUAhlfYYupk1: 12081:0:99999:7:-1:134539236
bin:**:11926:0:99999:7:::
daemon:*:11926:0:99999:7:::
adm::11926:0:99999:7:::
Users & Groups
• /etc/groupsrights on the file• if I can change my GID to 0, I've got root
-rw-r--r-- 1 root root 455 Jan 29 07:19 /etc/group
contents of the filegroup_name:password:group_id:listroot:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tty:x:5:
Putting it all together
• Script to run commands and dump output to /tmp
• tar all of the output files and transfer via network to your laptop
• use Cygwin to evaluate the output files!
Putting it all together
• Grep• Telnet• Cat• Find
Putting it all together
last >/tmp/last.atxtroot tty1 Sun Mar 16 12:22 still logged in
reboot system boot 2.2.14-5.0 Sun Mar 16 12:21 (05:51)
root tty1 Sat Mar 15 14:20 - down (07:12)
root pts/1 :0 Sat Mar 15 14:14 - 14:14 (00:00)
root pts/1 :0 Sat Mar 15 13:07 - 13:07 (00:00)
root pts/0 :0 Sat Mar 15 12:27 - 14:14 (01:46)
root tty1 Sat Mar 15 12:01 - 14:19 (02:18)
reboot system boot 2.2.14-5.0 Sat Mar 15 11:58 (09:34)
root tty1 Thu Mar 13 06:32 - down (08:10)
root tty1 Thu Mar 13 06:29 - 06:32 (00:02)
reboot system boot 2.2.14-5.0 Thu Mar 13 06:24 (08:19)
root tty1 Tue Mar 11 07:11 - down (02:17)
reboot system boot 2.2.14-5.0 Tue Mar 11 07:10 (02:18)
root tty1 Sun Mar 9 18:12 - down (00:49)
reboot system boot 2.2.14-5.0 Sun Mar 9 18:09 (00:51)
Putting it all together
• grep -a -i -f grep.txt target.txt -a = process the target file as text –i=ignore case –f=use input file grep.txt=name of input file target.txt= file being “grepped”
Cygwin note:
If you are using Cygwin, you can create the input file in a Windows editor (i.e. Notepad) but before using it to grep you must convert it to a unix file by using the ‘dos2unix’ command (dos2unix filename).
i.e. dos2unix grep.txt will convert the dos text file grep.txt to unix text. The differences between the two are not great, but they are large enough to prevent grep from understanding the input file if you don’t convert it first!
Putting it all togethertalk
name
finger
uucp
mouse
tftp
shell
login
exec
comsat
systat
netstat
admind
Putting it all together
$ grep -a -i -f grep.txt target.txt
systat 11/tcp users # Active Users
whois 43/tcp nicname # Who Is
tftp 69/udp # Trivial File Transfer Protocol
finger 79/tcp # Finger
hostnames 101/tcp hostname # NIC Host Name Server
uucp-path 117/tcp # UUCP Path Service
netbios_ns 137/tcp # NetBIOS Name Service
exec 512/tcp # remote execution, passwd required
login 513/tcp # remote login
shell 514/tcp cmd # remote command, no passwd used
talk 517/udp # conversation
ntalk 518/udp # new talk, conversation
Putting it all togethergrep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt
grep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt |sort -u
grep -o 'JM[0-9][0-9][0-9][0-9][0-9]' leg_share.txt |sort -u >sorted.txt; grep -A1 -f sorted.txt april_users.txt
Putting it all togethertar –cvf audit.tar /tmp/*atxt
Putting it all together• The following slides are a list of commands I use to audit Unix systems.• This list is not “all encompassing”, well organized, 100% accurate, or 100%
complete. • Use at your own risk, no warranty expressed or implied. Void where prohibited.• This list can be a place to start your own research.• The goal is to place the output of these simple commands into the /tmp directory, tar
them up and then transfer them back to the auditor’s workstation for analysis.
Good luck and enjoy!
Putting it all together"the usual suspects" “the usual reasons”
ls /etc/sam/custom/login-name.cf #config file that sets user’s rights for sam
bdf >/tmp/bdf.atxt show mounts
cat /etc/passwd |sort >/tmp/passwd.atxt users and passwd info
cat /etc/group |sort >/tmp/groups.atxt group list and members
cat /etc/shadow |sort >/tmp/shadow.atxt users and passwd info
cat /etc/services >/tmp/services.atxt list content of services file
cat /etc/aliases >/tmp/aliases.atxt system mail aliases
cat /etc/default/useradd >/tmp/useradd.atxt show useradd template params
cat /etc/dfs/dfstab >/tmp/dfstab.atxt list mount points
cat /etc/fstab >/tmp/fstab.atxt list mount points
cat /etc/exports >tmp/exports.atxt look for nfs (errors can be a good thing!)
cat /etc/ftpd/ftpusers |sort >/tmp/ftpusers.atxt restricted ftp users
cat /etc/ftpusers |sort >/tmp/ftpusers.atxt restricted ftp users
cat /etc/host.equiv >/tmp/host.equiv.atxt show priveleged hosts
cat /etc/hosts >/tmp/hosts.atxt show hosts resolve
cat /etc/inetd.conf >/tmp/ined.conf.atxt show the configuration file for inetd
cat /etc/xinetd.d/inetd.conf >/tmp/ined.conf.atxt show the configuration file for inetd
cat /etc/inittab >/tmp/inittab.atxt show initialization tab
cat /etc/nsswitch.conf >/tmp/nsswitch.atxt display name resolution order
cat /etc/pam >/tmp/pam.atxt Pluggable Authentication Modules
cat /etc/pam.conf >/tmp/pamconf.atxt Display Pam Settings
cat /etc/PATH >/tmp/path.atxt display path
echo $PATH >/tmp/path.atxt display path
cat /etc/profile >/tmp/profile.atxt show profiles
cat /etc/rc.config >/tmp/rcconfig.atxt show rc config
* omit everything to the right of “>” for output to screen
Putting it all together"the usual suspects" “the usual reasons”
cat /etc/rhosts >/tmp/rhosts.atxt show hosts able to connect remote
cat /etc/rpc >/tmp/rpc.atxt RPC program number database
cat /etc/shadow >/tmp/shadow.atxt shadow password
cat /etc/uucp/Devices >/tmp/uucp_devices.atxt look for uucp devices
cat /etc/uucp/Dialers >/tmp/uucp_dialers.atxt check for modems
cat /usr/lib/uucp/Devices >/tmp/uucp_devices.atxt list of uucp devices
cat /usr/lib/uucp/Dialers >/tmp/uucp_dialers.atxt check for modem phone numbers
cat /usr/lib/uucp/Systems >/tmp/uucp_systems.atxt list of uucp systems
crontab -l >/tmp/crons.atxt list contents of the crontab
df -h >/tmp/df.atxt disk space
df -k >/tmp/dfk.atxt show disk space
# df -k >/tmp/x.atxt show disk space
env >/tmp/env.atxt display environment
exportfs >/tmp/exportfs.atxt list currently exported files and directories
last >/tmp/last.atxt last logins
lastb >/tmp/last.bad.atxt last bad logins
ls /etc/rc/rc.3 >/tmp/rc3.atxt Show what is turned on/off for this runlevel
ls /etc/rc/rc.5 >/tmp/rc5.atxt Show what is turned on/off for this runlevel
ls -l /etc/exports >/tmp/exports.atxt show permissions on /etc/exports
ls -l -R /tcb/files/auth >/tmp/hp_trusted.atxt show trusted systems “shadow file”
ls -l -R >/tmp/filesys.atxt rights on the (ugh) filesystem
mount >/tmp/mountpts.atxt show drive mount points
* omit everything to the right of “>” for output to screen
Putting it all together"the usual suspects" “the usual reasons”
cat /etc/rc.config.d/netconf >/tmp/netconf.atxt config values for core networking subsystems
cat /etc/rc.config.d/netconf /etc/rc.config.d/auditing >> >/tmp/rc_configd.atxt #gets the rest
cat /etc/resolv.conf >/tmp/resolvconf.atxt # defines the domain the system belongs to and the name server the client will use.
cat /etc/uucp/Systems >/tmp/uucp_systems.atxt “Unix-to-Unix copy”. Lists and describes remote systems accessible
to a local system using the Basic Networking Utilities "
cat /var/adm/inetd.sec >/tmp/inetd_sec.atxt "# The lines in the file contain a service name permission field
and the Internet addresses or names of the hosts and/or networksallowed to use that service in the local machine.
cat for /etc/securetty >/tmp/.atxt "file with contents “console” if exists then root can only login from console all others must remote
login as themselves and then su."
find / \( -perm -0200 -o -perm -0400 \) -ls >/tmp/uid.atxt look for setuid or guid
find / -name .profile - >/tmp/x.atxt show profile file (get cshell and korn shell too!)
find / -name .rhost -exec cat {} \; >rhosts.txt >/tmp/rhosts.atxt rhost search
find / -perm -2000 -exec ls -al {} \; >/tmp/2000.atxt find permissions on files
find / -perm -4000 -exec ls -al {} \; >/tmp/4000.atxt find permissions on files
find /etc/rc.config.d/*conf* -exec cat {} \; >rc.configd.txt >/tmp/rc.config.atxt displays the config files from /rc.config.d/
find etc/rc.config.d/*config* -exec cat {} \; > config.txt >/tmp/hp_rc.config.d.atxt #list contents of the config files
find etc/rc.config.d/audit* -exec cat {} \; > config.txt >/tmp/hp_rc.audit.atxt list contents of the auditing cofig
xxx.xxx.xxx.xxx
ypwhich Lists name of the NIS server and nickname translation table
ypcat -x Displays the contents of an NIS map.
exportfs -v >/tmp/exportfs.atxt Print each directory or file name as it is exported or unexported
share >/tmp/share.atxt Print each directory or file name as it is exported or unexported
cat /etc/hosts.allow Lists machines that the host will accept a connection coming in
from (IP address)
cat /etc/hosts.deny Lists machines that the host will NOT accept a connection coming in
from (IP address)
find / -name snmpd.conf -exec grep -l public {} \; find snmpd config files where default password of public may exit
* omit everything to the right of “>” for output to screen
Putting it all together"the usual suspects" “the usual reasons”
netstat -a >/tmp/netstata.atxt all sockets
netstat -in >/tmp/netstatin.atxt show interface info
netstat -rv >/tmp/netstatrv.atxt route table
nfs configs >/tmp/x.atxt Solaris package manager
Pkginfo >/tmp/pkginfo.atxt solaris look for installed packages
ps -aef >/tmp/psaef.atxt show those processes
ps -aux >/tmp/psaux.atxt more processes
rpm -qa >installed.pkgs.txt >/tmp/rpms.atxt Linux display installed pkgs
showmount -e >/tmp/ex_mntpts.atxt show exported mount points
swlist -l fileset >/tmp/hp_pkgs.atxt hp look for installed pkgs
tail -300 /sr/adm/sulog >/tmp/sulog.atxt last 300 lines of su log
uname -a >/tmp/uname.atxt id the system
rpcinfo >/tmp/x.atxt Show rpc services running (portmapper dump) on
cat /etc/printcap.local This file used to specify custom edited printers
ioscan list hardware config
umask display current umask settings
* omit everything to the right of “>” for output to screen
Some useful URLs:
ICAT Metabase and Secunia http://icat.nist.gov/icat.cfm and www.secunia.com
Common Vulnerabilities and Exposures http://cve.mitre.org/
Rosetta Stone for Unix http://bhami.com/rosetta.html
RPC port info http://www.iss.net/security_center/advice/Exploits/Ports/RPC/default.htm