LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-01-2011, 08:36 PM   #46
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50

OK I've finally got samhain installed and it seems to be sending mail to me and one other account. which is a huge relief. On the other hand, I don't feel like my postfix config is really correct yet due to delivery failures for local accounts (e.g., daemon, root@localhost, etc.).

I am now digging into the tiger output and trying to repair the issues reported to me.
Code:
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (bin) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (daemon) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (games) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (gnats) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (irc) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (sneakyimp) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (sneakyimps_boss) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (libuuid) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (lp) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (mail) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (man) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (news) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (proxy) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell. 
--WARN-- [pass015w] Login ID sshd does not have a valid shell 
         (/usr/sbin/nologin). 
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). 
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (ubuntu) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
I see unSpawn's comments in the other thread:
Quote:
Originally Posted by unSpawn
- This is a system account, necessary to run a service. Review if you need (to remove) the service which should remove the account.
- Possible targets for removal are: irc (there should not be IRC software or an IRC daemon on the system at this stage), games (this is a server), news (you're not running a NNTP daemon).
- Review the other system accounts for the need of a shell. For instance Apache does not need one and can use any inert binary as shell like /sbin/nologin or /bin/false.
- Set password aging and stronger password for root and all unprivileged (human) accounts.
My thoughts/questions:
* I'm not sure exactly how this list is generated, but it has my account and my boss' account here which are notservices but rather 'unprivileged' accounts with sudo capability. Obviously, they must stay or we lose root-level access to the box. They will stay unmolested.
* which ones definitely need to go? i don't have www-data now but will once i've installed apache. i'm also guessing root must stay. irc, news, and games can be removed, right?
* How does one remove these? Is it enough just to deluser --remove-home --remove-all-files them? Is that going to cause problems with other binaries/daemons/configuration? Is it preferable to somehow disable their login?
* What does it mean that sshd and sync don't have a shell?

Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
I ran pwck and all results are about missing dirs. It's my understanding that this doesn't pose a problem:
Code:
$ sudo pwck -r
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'www-data': directory '/var/www' does not exist
user 'list': directory '/var/list' does not exist
user 'irc': directory '/var/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
user 'nobody': directory '/nonexistent' does not exist
user 'syslog': directory '/home/syslog' does not exist
user 'haldaemon': directory '/var/run/hald' does not exist
pwck: no changes
Code:
--WARN-- [acc021w] Login ID landscape appears to be a dormant account.
I'm not sure what landscape is, but I think it's related to this message I see after logging in:
Code:
Graph this data and manage this system at https://landscape.canonical.com/
apt-cache search landscape returns these two items:
Code:
landscape-client - The Landscape administration system client
landscape-common - The Landscape administration system client
I doubt I'll be using this. If I must remove it, should I delete the account or try an apt-get remove ?

Code:
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.
I don't expect this is a problem, but it's not mentioned in the other thread. Can I ignore it?

Code:
--WARN-- [root003w] Root user has message capability turned on.
As instructed in the other thread, I edited /root/.bashrc and add this line at the end:
Code:
mesg n; dmesg -n 4
Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
This is not mentioned in the other thread. Suggestions?

Code:
--WARN-- [cron004w] Root crontab does not exist
I understand from the other thread that this is desirable.

Code:
--WARN-- [cron005w] Use of cron is not restricted
I see your suggestions that we do a deny/allow:
Quote:
Originally Posted by unSpawn
See manual page about /etc/cron.{deny,allow}. (Same should apply to the 'at' service.)
but given that I don't know which users to limit it to, I haven't made any changes here. Suggestions welcome as there appear to be numerous cron jobs.

Code:
--WARN-- [inet003w] The port for service sieve is also assigned to service 
         cisco-sccp. 
--WARN-- [inet003w] The port for service ndtp is also assigned to service 
         pipe_server. 
--WARN-- [inet003w] The port for service ndtp is also assigned to service 
         search. 
--WARN-- [inet003w] The port for service postgres is also assigned to service 
         postgresql. 
--WARN-- [inet003w] The port for service postgres is also assigned to service 
         postgresql. 
--WARN-- [inet003w] The port for service sane is also assigned to service 
         sane-port. 
--WARN-- [inet003w] The port for service webcache is also assigned to service 
         http-alt. 
--WARN-- [inet003w] The port for service webcache is also assigned to service 
         http-alt.
Not sure what to make of these.

Code:
--ALERT-- [perm023a] /bin/su is setuid to `root'. 
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'. 
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'. 
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon). 
--WARN-- [perm002w] The group owner of /usr/bin/at should be root. 
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'. 
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.
These don't appear to be mentioned in the other thread and look rather severe as they are ALERTS. Suggestions?

Code:
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group 
         permissions. Should be 0600 
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world 
         permissions. Should be 0600 
--WARN-- [boot06] The Grub bootloader does not have a password configured.
Your advice here is ambiguous:
Quote:
Originally Posted by unSpawn
All users must be able to read in /etc, but no user except root has any business reading /boot. Chmod files to 0640.
Does that mean sudo chmod 0640 /boot/grub/menu.lst or are there other files/permissions involved?

Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
Quote:
Originally Posted by unSpawn
Add line "umask 027" or "umask 022" depending on your needs.
I don't know what my needs are so I'm unable to implement your advice. Please advise.

[code]--WARN-- [lin012w] The system accepts ICMP redirection messages
Quote:
Originally Posted by unSpawn
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
EDIT: I did "sudo su" and was able to complete this. duh.

Code:
--FAIL-- [lin016f] The system permits source routing from incoming packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
EDIT: I did "sudo su" and was able to complete this. duh.


[code]
Code:
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
EDIT: I did "sudo su" and was able to complete this. duh.


Code:
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `squeeze/sid'
This does not appear to be addressed in the other thread.

Do you also want the output of this command?
Code:
sysctl -a | egrep -ie "(ip_always_defrag|icmp_echo_ignore_broadcasts|icmp_ignore_bogus_error_responses|accept_redirects|send_redirects|accept_source_route|log_martians|rp_filter|secure_redirects|tcp_syncookies|ip_default_ttl|tcp_max_syn_backlog|tcp_syn_retries|mtu_expires|tcp_keepalive_time|icmp_echoreply_rate|tcp_fin_timeout|tcp_rfc1337|ip_no_pmtu_disc|panic|panic_on_oops)"|tr '.' '/'| awk '{print "echo", $3, "> /proc/sys/"$1}'|column -t
?

This is the bit I found rather worrisome:
Code:
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.32-33-server/modules.pcimap' checksum differs from 
         installed package 'linux-image-2.6.32-33-virtual'. 
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.32-33-server/modules.usbmap' checksum differs from 
         installed package 'linux-image-2.6.32-33-virtual'. 
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.32-33-server/modules.alias' checksum differs from 
         installed package 'linux-image-2.6.32-33-virtual'. 
--FAIL-- [lin005f] Installed file `/lib/modules/2.6.32-33-server/modules.dep' 
         checksum differs from installed package 
         'linux-image-2.6.32-33-virtual'. 
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.32-33-server/modules.alias.bin' checksum differs 
         from installed package 'linux-image-2.6.32-33-virtual'. 
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.32-33-server/modules.symbols' checksum differs from 
         installed package 'linux-image-2.6.32-33-virtual'. 

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/ufw/user.rules' does not belong to any package. 
--WARN-- [lin001w] File `/lib/ufw/user6.rules' does not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ieee1394map' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.alias' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.usbmap' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.symbols.bin' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.isapnpmap' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.pcimap' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.builtin.bin' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.dep.bin' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.symbols' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.inputmap' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ccwmap' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.seriomap' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.alias.bin' does 
         not belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.dep' does not 
         belong to any package. 
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.ofmap' does not 
         belong to any package.
What the heck? Aside from the perl/CPAN installs, the only things I've installed have been using apt-get. Weird that this stuff would be broken already.


Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory. 
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
??

Code:
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
I think your post says 0640 but there was a different error. Suggestions?

Code:
--WARN-- [misc026w] There is no default umask settings for user login shells 
         in /etc/login.defs
Not in the other thread. Suggestions?

Code:
--WARN-- [lin002i] The process `dhclient3' is listening on socket 68 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every 
         interface.
As previously discussed, ssh should be locked down pretty darn tight. i don't know what dhclient3 is, but suspect that between AWS security group and ip tables, it's not a problem at the moment. Should this service be removed/halted? If so, how?

Code:
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition infile).
Not mentioned in the other file.

Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file.
We'll get to this at some point. I think I'll only have a couple of ftp users.

Code:
--WARN-- [fsys013w] cannot access /lib/udev/devices/sndstat is a dangling 
         symlink. 
--WARN-- [fsys013w] cannot access /usr/lib/tiger/systems/Linux/issue.net is a 
         dangling symlink. 
--WARN-- [fsys013w] cannot access /usr/share/doc/bash/completion-contrib is a 
         dangling symlink. 
--WARN-- [fsys013w] cannot access /usr/share/man/man5/modprobe.d.5 is a 
         dangling symlink.
??

Code:
--ALERT-- [fsys006a] Unexpected device files found: 
crw------- 1 root root 5, 1 Jul 19 07:00 /lib/udev/devices/console
brw------- 1 root root 7, 0 Jul 19 07:00 /lib/udev/devices/loop0
crw------- 1 root root 10, 200 Jul 19 07:00 /lib/udev/devices/net/tun
crw------- 1 root root 1, 3 Jul 19 07:00 /lib/udev/devices/null
crw------- 1 root root 108, 0 Jul 19 07:00 /lib/udev/devices/ppp
???


Tiger is looking pretty handy as a security audit tool. Sadly, I know little about what it's trying to tell me. Your advice would be much appreciated.

Last edited by sneakyimp; 08-02-2011 at 10:35 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 08-02-2011, 11:10 AM   #47
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by sneakyimp View Post
I am now digging into the tiger output and trying to repair the issues reported to me.
Code:
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell. 
(..)
--WARN-- [pass014w] Login (root) is disabled, but has a valid shell. 
--WARN-- [pass015w] Login ID sshd does not have a valid shell 
         (/usr/sbin/nologin). 
--WARN-- [pass015w] Login ID sync does not have a valid shell (/bin/sync). 
--WARN-- [pass014w] Login (sys) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (ubuntu) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (uucp) is disabled, but has a valid shell. 
--WARN-- [pass014w] Login (www-data) is disabled, but has a valid shell.
I see unSpawn's comments in the other thread:
Quote:
Originally Posted by unSpawn
- This is a system account, necessary to run a service. Review if you need (to remove) the service which should remove the account.
- Possible targets for removal are: irc (there should not be IRC software or an IRC daemon on the system at this stage), games (this is a server), news (you're not running a NNTP daemon).
- Review the other system accounts for the need of a shell. For instance Apache does not need one and can use any inert binary as shell like /sbin/nologin or /bin/false.
- Set password aging and stronger password for root and all unprivileged (human) accounts.
My thoughts/questions:
* I'm not sure exactly how this list is generated, but it has my account and my boss' account here which are notservices but rather 'unprivileged' accounts with sudo capability. Obviously, they must stay or we lose root-level access to the box. They will stay unmolested.
I don't have the Tiger source to look at right now but I'd say it's generated from /etc/passwd nfo, so when it says "disabled" I suspect it means "administratively disabled" as in the account being locked. If the sneakyimp and sneakyimps_boss account are properly set up with strong password and aging ('sudo chage -l sneakyimp') then this could be a glitch in Tiger. I'll have a look at my 10.04 LTS machine later on to confirm.


Quote:
Originally Posted by sneakyimp View Post
* which ones definitely need to go? i don't have www-data now but will once i've installed apache. i'm also guessing root must stay. irc, news, and games can be removed, right?
* How does one remove these? Is it enough just to deluser --remove-home --remove-all-files them? Is that going to cause problems with other binaries/daemons/configuration? Is it preferable to somehow disable their login?
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).


Quote:
Originally Posted by sneakyimp View Post
* What does it mean that sshd and sync don't have a shell?
Shells must be added to /etc/shells to be considered valid. That's all, the chosen binary itself is in both cases OK.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck -r).
I ran pwck and all results are about missing dirs. It's my understanding that this doesn't pose a problem:
Code:
$ sudo pwck -r
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
(..)
user 'list': directory '/var/list' does not exist
user 'irc': directory '/var/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
(..)
pwck: no changes
The above shouldn't exist unless SW is installed and the ones I removed should be ignored.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [acc021w] Login ID landscape appears to be a dormant account.
I'm not sure what landscape is, but I think it's related to this message I see after logging in:
Code:
Graph this data and manage this system at https://landscape.canonical.com/
apt-cache search landscape returns these two items:
Code:
landscape-client - The Landscape administration system client
landscape-common - The Landscape administration system client
I doubt I'll be using this. If I must remove it, should I delete the account or try an apt-get remove ?
When in doubt please search your man and info pages, package info or Ubuntu documentation. The package says "Landscape is a web-based tool for managing Ubuntu systems. This package is necessary if you want your machine to be managed in a Landscape account."
Packages that are not dependencies for other packages should be removed.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not accessible.
I don't expect this is a problem, but it's not mentioned in the other thread. Can I ignore it?
Ignore. Nobody shouldn't have a home or "/".


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
This is not mentioned in the other thread. Suggestions?
Documentation. See https://help.ubuntu.com/community/EnvironmentVariables (Ubuntu: /etc/environment).


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [cron004w] Root crontab does not exist
I understand from the other thread that this is desirable.
Yes. Cronjobs should either be run by unprivileged users where possible or from crontab files in /etc/cron*.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [cron005w] Use of cron is not restricted
I see your suggestions that we do a deny/allow:
Quote:
Originally Posted by unSpawn
See manual page about /etc/cron.{deny,allow}. (Same should apply to the 'at' service.)
but given that I don't know which users to limit it to, I haven't made any changes here. Suggestions welcome as there appear to be numerous cron jobs.
- Look up who owns the cron files and its parent directory,
- Look up which user the cron daemon runs at.
- echo those account names into /etc/cron.allow.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [inet003w] The port for service ${SERVICE_NAME} is also assigned to service 
         ${OTHER_SERVICE_NAME}.
Not sure what to make of these.
If you 'getent services sieve' it should only return one service name entry and not multiple ones as that collides with IANA port assignments. Note in a few cases there's duplicate or alternative service names: pick the one Ubuntu applications and documentation support.


Quote:
Originally Posted by sneakyimp View Post
Code:
--ALERT-- [perm023a] /bin/su is setuid to `root'. 
--ALERT-- [perm023a] /usr/bin/at is setuid to `daemon'. 
--ALERT-- [perm024a] /usr/bin/at is setgid to `daemon'. 
--WARN-- [perm001w] The owner of /usr/bin/at should be root (owned by daemon). 
--WARN-- [perm002w] The group owner of /usr/bin/at should be root. 
--ALERT-- [perm023a] /usr/bin/passwd is setuid to `root'. 
--ALERT-- [perm024a] /usr/bin/wall is setgid to `tty'.
These don't appear to be mentioned in the other thread and look rather severe as they are ALERTS. Suggestions?
passwd and wall look OK to me, the others may be Ubuntu, Debian or upstream default Tiger does not recognize. Unless Hangdog42 does I'll confirm later on.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group 
         permissions. Should be 0600 
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world 
         permissions. Should be 0600 
--WARN-- [boot06] The Grub bootloader does not have a password configured.
Your advice here is ambiguous:
Quote:
Originally Posted by unSpawn
All users must be able to read in /etc, but no user except root has any business reading /boot. Chmod files to 0640.
Does that mean sudo chmod 0640 /boot/grub/menu.lst or are there other files/permissions involved?
It only talks about menu.lst but other than that as only root is allowed write rights and no passwd should be set on a server to boot or use alternative boot entries I'd say ignore.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
Quote:
Originally Posted by unSpawn
Add line "umask 027" or "umask 022" depending on your needs.
I don't know what my needs are so I'm unable to implement your advice. Please advise.
For human accounts I'd suggest 'umask 027': edit shell resource files for existing users and modify /etc/skell shell resource files for new users. Services may go with the default or '022' as output is often confined to directories owned by the user running the daemon. Also consult the above "environment" page.


Quote:
Originally Posted by sneakyimp View Post
[code]--WARN-- [lin012w] The system accepts ICMP redirection messages
Quote:
Originally Posted by unSpawn
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
I have performed this step (and even tried sudo ech0 0 >) but it says permission denied. Suggestions?
Use sudo?


Quote:
Originally Posted by sneakyimp View Post
Code:
--FAIL-- [lin016f] The system permits source routing from incoming packets
I have tried echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route but permission denied. Also tried sudo.
Running 'sysctl -a|grep source' may provide you with a list of sysctl locations to change. Note modifications don't survive a reboot unless you add them to /etc/sysctl.conf or equivalent or local startup file in /etc.

Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [lin017w] The system is not configured to log suspicious (martian) packets
tried echo 1 > /proc/sys/net/ipv4/conf/all/log_martians put permission denied (even with sudo). Am I putting the sudo in the wrong place?
'sysctl -a|grep martian'?


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `squeeze/sid'
This does not appear to be addressed in the other thread.

Do you also want the output of this command?
Code:
sysctl -a | egrep -ie "(ip_always_defrag|icmp_echo_ignore_broadcasts|icmp_ignore_bogus_error_responses|accept_redirects|send_redirects|accept_source_route|log_martians|rp_filter|secure_redirects|tcp_syncookies|ip_default_ttl|tcp_max_syn_backlog|tcp_syn_retries|mtu_expires|tcp_keepalive_time|icmp_echoreply_rate|tcp_fin_timeout|tcp_rfc1337|ip_no_pmtu_disc|panic|panic_on_oops)"|tr '.' '/'| awk '{print "echo", $3, "> /proc/sys/"$1}'|column -t
?
Tiger needs to be patched. I'll see if I can get Javier to pick up changes we encouter here. The sysctl output only if you can't solve things yourself and only those items and nothing more, please.


Quote:
Originally Posted by sneakyimp View Post
This is the bit I found rather worrisome:
Code:
# Checking md5sums of installed files
--FAIL-- [lin005f] Installed file 
         `/lib/modules/2.6.*/modules.*' checksum differs from 
         installed package 'linux-image-2.6.32-33-virtual'. 
(..)

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/ufw/user.rules' does not belong to any package. 
--WARN-- [lin001w] File `/lib/ufw/user6.rules' does not belong to any package. 
(..)
--WARN-- [lin001w] File `/lib/modules/2.6.32-317-ec2/modules.*' does not 
         belong to any package.
Kernels may generate module maps after installation or on reboot, etc, etc (may not exist or are regenerated). As long as the kernel version doesn't change the hash won't change only MAC times and inode. The UFW rules may be generated by a package post-install script.


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [dev003w] The directory /dev/block resides in a device directory. 
--WARN-- [dev003w] The directory /dev/char resides in a device directory.
??
Ignore known /dev/ entries.


Quote:
Originally Posted by sneakyimp View Post
Code:
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660
I think your post says 0640 but there was a different error. Suggestions?
Best left at distro default unless some service needs access. What does 'sudo stat /var/log/btmp' say?


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [misc026w] There is no default umask settings for user login shells 
         in /etc/login.defs
Not in the other thread. Suggestions?
Does /etc/login.defs even exist?


Quote:
Originally Posted by sneakyimp View Post
Code:
--WARN-- [lin002i] The process `dhclient3' is listening on socket 68 (UDP) on 
         every interface. 
--WARN-- [lin002i] The process `sshd' is listening on socket 22 (TCP) on every 
         interface.
As previously discussed, ssh should be locked down pretty darn tight. i don't know what dhclient3 is, but suspect that between AWS security group and ip tables, it's not a problem at the moment. Should this service be removed/halted? If so, how?
No, it's your DHCP client!


Quote:
Originally Posted by sneakyimp View Post
Code:
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file definition infile).
Not mentioned in the other file.
If it doesn't exist then ignore.


Quote:
Originally Posted by sneakyimp View Post
Code:
--FAIL-- [netw020f] There is no /etc/ftpusers file.
We'll get to this at some point. I think I'll only have a couple of ftp users.

Code:
--WARN-- [fsys013w] cannot access /lib/udev/devices/sndstat is a dangling 
         symlink. 
--WARN-- [fsys013w] cannot access /usr/lib/tiger/systems/Linux/issue.net is a 
         dangling symlink. 
--WARN-- [fsys013w] cannot access /usr/share/doc/bash/completion-contrib is a 
         dangling symlink. 
--WARN-- [fsys013w] cannot access /usr/share/man/man5/modprobe.d.5 is a 
         dangling symlink.
??
Run 'sudo readlink -f /path//to/symlink' and check what it is supposed to link to. Then check your packages repo what package holds the file. Decide if you need the package. Else delete the symlink.


Quote:
Originally Posted by sneakyimp View Post
Code:
--ALERT-- [fsys006a] Unexpected device files found: 
crw------- 1 root root 5, 1 Jul 19 07:00 /lib/udev/devices/console
brw------- 1 root root 7, 0 Jul 19 07:00 /lib/udev/devices/loop0
crw------- 1 root root 10, 200 Jul 19 07:00 /lib/udev/devices/net/tun
crw------- 1 root root 1, 3 Jul 19 07:00 /lib/udev/devices/null
crw------- 1 root root 108, 0 Jul 19 07:00 /lib/udev/devices/ppp
???
Maybe false positive. Have to look it up.


Quote:
Originally Posted by sneakyimp View Post
Tiger is looking pretty handy as a security audit tool. Sadly, I know little about what it's trying to tell me.
Well now you know a little more. Moe importantly you know how you can find information yourself. This should become second nature real soon leaving you with only the important questions to ask. BTW next time I'll be talking to you you probably have Apache, MySQL and PHP installed.. :-]
 
1 members found this post helpful.
Old 08-02-2011, 12:27 PM   #48
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
THANK YOU for your time on this.

Quote:
Originally Posted by unSpawn View Post
I don't have the Tiger source to look at right now but I'd say it's generated from /etc/passwd nfo, so when it says "disabled" I suspect it means "administratively disabled" as in the account being locked. If the sneakyimp and sneakyimps_boss account are properly set up with strong password and aging ('sudo chage -l sneakyimp') then this could be a glitch in Tiger. I'll have a look at my 10.04 LTS machine later on to confirm.
AFAIK, sneakyimp and sneakyimps_boss will only be able to login using a 4096-bit cert. I didn't give these users passwords. Do we really need to fiddle with their passwd expiration values? Am I missing something here?

Quote:
Originally Posted by unSpawn View Post
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).
I don't understand what sudo find / -xdev -user ${LOGNAME} does. I see that this command returns a lot of files for my own account. Am I to su as each user and then run the command?

vipw uses vi. EWWWW!



Quote:
Originally Posted by unSpawn View Post
When in doubt please search your man and info pages, package info or Ubuntu documentation. The package says "Landscape is a web-based tool for managing Ubuntu systems. This package is necessary if you want your machine to be managed in a Landscape account."
Packages that are not dependencies for other packages should be removed.
Is there an easy/foolproof way to determine whether a package is a dependency?

Quote:
Originally Posted by unSpawn View Post
Yes. Cronjobs should either be run by unprivileged users where possible or from crontab files in /etc/cron*.
My fear here is that I'll deny cron access to some user that runs an important cron job. All of the cron jobs in /etc/cron* are user and group ROOT. Is there some way to determine which users currently have cron jobs? Or, for new packages/services/applications (e.g., mysql or apache or php), is there some way to determine if a cron job is necessary?

Quote:
Originally Posted by unSpawn View Post
- Look up who owns the cron files and its parent directory,
- Look up which user the cron daemon runs at.
- echo those account names into /etc/cron.allow.
I did sudo ls -ral /etc/cron* and all the resulting directories and files are owned by root. Not sure where else I might find cron files or their parent directories. Unless I'm mistaken, the following command tells me that the cron daemon is owned by root:
Code:
$ sudo ps -aux | grep cron
Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html
root       712  0.0  0.0  21076  1016 ?        Ss   Aug01   0:00 cron
sneakyimp     4692  0.0  0.0   7624   924 pts/1    S+   16:51   0:00 grep --color=auto cron

Quote:
Originally Posted by unSpawn View Post
If you 'getent services sieve' it should only return one service name entry and not multiple ones as that collides with IANA port assignments. Note in a few cases there's duplicate or alternative service names: pick the one Ubuntu applications and documentation support.
This command appears to return two items:
Code:
$ sudo getent services sieve
cisco-sccp            2000/tcp sieve
So the point is to reconfigure one service or the other to a different port? This sounds like a good way to break things. I wonder what these services do

Quote:
Originally Posted by unSpawn View Post
For human accounts I'd suggest 'umask 027': edit shell resource files for existing users and modify /etc/skell shell resource files for new users. Services may go with the default or '022' as output is often confined to directories owned by the user running the daemon. Also consult the above "environment" page.
Shell resource files? Every sentence here is a bit over my head.


Quote:
Originally Posted by unSpawn View Post
Use sudo?
Got those echo > file things sorted. I tried to edit the original post out of embarassment but was too late.


Quote:
Originally Posted by unSpawn View Post
Ignore known /dev/ entries.
I don't know anything about these entries at all. Please elaborate?

Quote:
Originally Posted by unSpawn View Post
Best left at distro default unless some service needs access. What does 'sudo stat /var/log/btmp' say?
Code:
$ sudo stat /var/log/btmp
  File: `/var/log/btmp'
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 801h/2049d	Inode: 460973      Links: 1
Access: (0660/-rw-rw----)  Uid: (    0/    root)   Gid: (   43/    utmp)
Access: 2011-08-01 06:50:10.000000000 +0000
Modify: 2011-08-01 06:50:10.000000000 +0000
Change: 2011-08-01 06:50:10.000000000 +0000

Quote:
Originally Posted by unSpawn View Post
Does /etc/login.defs even exist?
Aye it does exist.

Quote:
Originally Posted by unSpawn View Post
No, it's your DHCP client!
I'm somewhat shocked that my server would need a DHCP client. Does this mean my internal IP address is likely to change? Is the DHCP client listening on a port so that it knows when its IP has been reassigned? I'm worried now that my iptables rules might block some critical incoming notification about the IP address changing at which point my computer fails to listen and becomes unresponsive.

Quote:
Originally Posted by unSpawn View Post
Maybe false positive. Have to look it up.
Unexpected device file...what does it mean?

Quote:
Originally Posted by unSpawn View Post
Well now you know a little more. Moe importantly you know how you can find information yourself. This should become second nature real soon leaving you with only the important questions to ask. BTW next time I'll be talking to you you probably have Apache, MySQL and PHP installed.. :-]
Really?? Are we there yet? I'm really grateful for the hand-holding and do feel as though I understand a lot more. The learning curve this past week or two has been pretty rough and I'm extremely anxious to move on. I still have some substantial anxiety about these items:
* samhain is installed and running (and has even sent a couple of notifications when I start it up). I'm wondering what I might do to trigger a notification. Obviously, I want to make sure it's properly detecting intrusions. I could also use a bit of help understanding what the startup notifications mean.
* I've still got some issues with postfix. Namely, mail to root@localhost is not getting delivered. It somehow gets transmogrified into root@localhost.myplan.com and then rejected with 'local delivery is disabled'. *sigh*.
* For Apache/MySQL/PHP, I expect to install using packages of course, but I'm wondering how to keep these up-to-date. You've recommended a staging machine before but I'm wondering if it might be safe to automate security updates? I seriously doubt I'll get authorization for enough hours to continuously monitor this machine and test and apply each patch individually. I'm thinking the best I can hope for is a (brief) monthly audit. Any advice welcome.
 
Old 08-02-2011, 01:33 PM   #49
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,896

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Quote:
Quote: Originally Posted by sneakyimp
Code:
--WARN-- [lin012w] The system accepts ICMP redirection messages
Quote:
Originally Posted by unSpawn
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
I have performed this step (and even tried sudo ech0 0 >) but it says permission denied. Suggestions?

Use sudo?
There is something, err, variant about the way Ubuntu handles this - I've seen this with the set-up stuff for a firewall. Where, with most distros you'd expect to be able to echo 1's or 0's to the appropriate place in the proc filesystem, from your set up script (as root, of course, which seems to be the source of the problem), Ubuntu seems unhappy with this.

For Ubuntu, it seems that you need the formal sysctl interface to make the changes: 'man sysctl' for more details.
 
Old 08-02-2011, 04:58 PM   #50
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by sneakyimp View Post
AFAIK, sneakyimp and sneakyimps_boss will only be able to login using a 4096-bit cert. I didn't give these users passwords. Do we really need to fiddle with their passwd expiration values? Am I missing something here?
Human user accounts need passwords. Passwords need to be changed every so often. If the password isn't changed to Something Completely Different then locking out an account seems prudent.


Quote:
Originally Posted by sneakyimp View Post
I don't understand what sudo find / -xdev -user ${LOGNAME} does. I see that this command returns a lot of files for my own account. Am I to su as each user and then run the command?
No, just sudo-run find for each account name slotted for disabling to find files owned by the user.


Quote:
Originally Posted by sneakyimp View Post
Is there an easy/foolproof way to determine whether a package is a dependency?
I'm not distro-agnostic enough to recommend any of 'apt-cache depends' or 'apt-rdepends' or 'dpkg-deb -I' or 'dpkg --info' over the other. Please consult the manual and info pages for each.


Quote:
Originally Posted by sneakyimp View Post
My fear here is that I'll deny cron access to some user that runs an important cron job.
Instead of explicitly allowing certain users you could blacklist users that are known to not run or need cron jobs. Echo those accounts into /etc/{at,cron}.deny.


Quote:
Originally Posted by sneakyimp View Post
All of the cron jobs in /etc/cron* are user and group ROOT.
/etc is for the system and cron files usually are owned and writable by root as the cron daemon runs them on behalf of root (/etc/crontab or equivalent).


Quote:
Originally Posted by sneakyimp View Post
Is there some way to determine which users currently have cron jobs? Or, for new packages/services/applications (e.g., mysql or apache or php), is there some way to determine if a cron job is necessary?
Non-root users usually have their crontab in the cron spool dir but starting or replacing a crontab is easy, see 'man 1 crontab', "-u [file|-]". Seen it before. Cron jobs or tabs should be seen added to any /etc/cron* location or created in the cron spool dir.



Quote:
Originally Posted by sneakyimp View Post
the cron daemon is owned by root:
Runs as root, yes.


Quote:
Originally Posted by sneakyimp View Post
This command appears to return two items:
Code:
$ sudo getent services sieve
cisco-sccp            2000/tcp sieve
So the point is to reconfigure one service or the other to a different port? This sounds like a good way to break things.
No, listed this way "sieve" becomes an alias which is OK.


Quote:
Originally Posted by sneakyimp View Post
I wonder what these services do
Use the Search, Luke...


Quote:
Originally Posted by sneakyimp View Post
Every sentence here is a bit over my head.
The "environment" page calls them "shell config files": please start at "Persistent environment variables".


Quote:
Originally Posted by sneakyimp View Post
I don't know anything about these entries at all. Please elaborate?
List udev package, grep for items.


Quote:
Originally Posted by sneakyimp View Post
Code:
Access: (0660/-rw-rw----)  Uid: (    0/    root)   Gid: (   43/    utmp)
Both root and utmp are allowed to write to btmp, the latter because of non-root processes. Suggest leaving it as it is.


Quote:
Originally Posted by sneakyimp View Post
Aye it does exist.
Please consult the Ubuntu documentation if you should use 'pam_umask' for daemons (and users?). For users umask can be set in /etc/profile, /etc/login.defs, and users can change theirs in ~/.profile and ~/.bashrc. For login.defs an umask entry looks like "UMASK 027".


Quote:
Originally Posted by sneakyimp View Post
I'm somewhat shocked that my server would need a DHCP client. Does this mean my internal IP address is likely to change?
Please consult AWS documentation with respect to MAC - IP assignments, lease time


Quote:
Originally Posted by sneakyimp View Post
Is the DHCP client listening on a port so that it knows when its IP has been reassigned?
That's not how I whould phrase it but in short: yes. Please see the documentation that comes with the package for an overview or use a 'net search.


Quote:
Originally Posted by sneakyimp View Post
I'm worried now that my iptables rules might block some critical incoming notification about the IP address changing at which point my computer fails to listen and becomes unresponsive.
Hmm. Good time to refresh your rule listing if you've made any changes since we last saw it.


Quote:
Originally Posted by sneakyimp View Post
Unexpected device file...what does it mean?
Have to look it up.


Quote:
Originally Posted by sneakyimp View Post
Really?? Are we there yet? (..) I'm extremely anxious to move on.
No we aren't but I've shown you one method to use in addition to your distribution and general system security documentation I posted earlier on. From here on it is your choice and responsibility to read and revisit (or not) said documentation, use checklists (or not) to track progress and issues, run tests (or not) to evaluate the systems security footprint, etc, etc...


Quote:
Originally Posted by sneakyimp View Post
samhain is installed and running (and has even sent a couple of notifications when I start it up). I'm wondering what I might do to trigger a notification. Obviously, I want to make sure it's properly detecting intrusions. I could also use a bit of help understanding what the startup notifications mean.
Please break out all Samhain issues to a new thread, attach config ('grep -v ^# samhainrc|grep .;') and complete (error) messages.


Quote:
Originally Posted by sneakyimp View Post
Best leave separate threads separate and hope a fellow LQ member shows up. In the meanwhile reading the Postfix configuration examples may work as it's one of the hits when I search for "local_transport = error:local delivery is disabled"...


Quote:
Originally Posted by sneakyimp View Post
For Apache/MySQL/PHP, I expect to install using packages of course, but I'm wondering how to keep these up-to-date. You've recommended a staging machine before but I'm wondering if it might be safe to automate security updates?
LTS is meant to provide a stable computing environment users can depend on so updates (should) have an assured level of quality to avoid service outage or worse. While on the package level this may all work out fine there still may appear local problems due to configuration, any software installed outside of package management, etc, etc. While this may be OK for the average SOHO case in a production environment loss of service means loss of money or even worse: loss of customer trust. While securing and monitoring production machines is one way to protect this investment you both make (because that's what it basically boils down to) it would seem ludicrous to not use means that may help avoid problems. It doesn't need to be a EC2 instance: it may well be on local virtualization or whatever else you can think of that you can use to test updates or configuration changes on, roll out software or just to test out new stuff out on. I'm not trying to force this on you as in the end you have to work with it: it's your decision.
 
1 members found this post helpful.
Old 08-02-2011, 07:10 PM   #51
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by unSpawn
Some accounts come with the system by default and some will be installed once (server) software is installed (find out for each account with 'sudo find / -xdev -user ${LOGNAME}'). For now I would 'sudo vipw' and change the shells for games, gnats, irc, lp (probably not install CUPS), news, proxy and uucp to '/bin/false' or '/usr/sbin/nologin', ensuring there is no single point of failure. (I am not familiar with the 'list' account: check your Ubuntu documentation please).
OK got it. I've used the sudo find -user command to check each each of those users listed in the tiger report. Only daemon and libuuid have any files yet:
Code:
$ sudo find / -xdev -user daemon
/var/spool/cron/atjobs
/var/spool/cron/atjobs/.SEQ
/var/spool/cron/atspool
/usr/bin/at
$ sudo find / -xdev -user libuuid
/var/lib/libuuid
/usr/sbin/uuidd
I've set the default shell to /bin/false for the ones you recommended. These users do not appear to own any files (the find command above returned nothing) and have not yet been altered:
Code:
backup
bin
list
mail
man
nobody
sshd
sync
sys
www-data
I have incorporated mail into my postfix configuration (using flag user=mail in the master.cf file). I have seen nobody used sometimes as the apache user. www-data will eventually be my apache user. Do I need to worry about changing the default shell to /bin/false for any of these other users?
 
Old 08-02-2011, 07:56 PM   #52
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by unSpawn
Run 'sudo readlink -f /path//to/symlink' and check what it is supposed to link to. Then check your packages repo what package holds the file. Decide if you need the package. Else delete the symlink.
Code:
$ sudo readlink -f /lib/udev/devices/sndstat
no result!!! Delete it? rename?
Code:
$ sudo readlink -f /usr/lib/tiger/systems/Linux/issue.net
/etc/tiger/issue.net
$ sudo dpkg -S /usr/lib/tiger/systems/Linux/issue.net
tiger: /usr/lib/tiger/systems/Linux/issue.net
definitely need this what to do about the symlink? just delete?

Code:
$ sudo readlink -f /usr/share/doc/bash/completion-contrib
/usr/share/doc/bash-completion/contrib
$ dpkg -S /usr/share/doc/bash/completion-contrib
bash-completion: /usr/share/doc/bash/completion-contrib
$ sudo apt-cache depends bash-completion
bash-completion
  Depends: bash
  Replaces: bash
$ sudo apt-cache rdepends bash-completion
bash-completion
Reverse Depends:
  nut
  libdist-zilla-perl
  bti
  brdesktop-common
  atool
  ack-grep
  ubuntu-standard
  nut
  bash
  bash
  bash
i think i need this too. delete symlink? rename?

Code:
$ sudo readlink -f /usr/share/man/man5/modprobe.d.5
/usr/share/man/modprobe.conf.5
$ dpkg -S /usr/share/man/man5/modprobe.d.5
module-init-tools: /usr/share/man/man5/modprobe.d.5
$ sudo apt-cache depends module-init-tools
module-init-tools
  Depends: libc6
  Depends: <upstart-job>
    upstart
  Breaks: initramfs-tools
sudo apt-cache rdepends module-init-tools
  [TOO LONG TO LIST]
Hm. delete symlink? rename and hope nothing breaks?
 
Old 08-03-2011, 11:21 AM   #53
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I keep getting notifications from tiger's cron job that are arriving VERY erratically:
Code:
From: root@mydomain.com (Cron Daemon)
To: root@mydomain.com
Subject: Cron <root@ip-WWW-XXX-YYY-ZZZ>    test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <DEFAULT=/etc/default/tiger>
X-Cron-Env: <NICETIGER=10>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <00000131905f8830-befbb171-6be1-4185-89ee-0464763db0ce-000000@email.amazonses.com>
Date: Wed, 3 Aug 2011 16:00:05 +0000
X-AWS-Outgoing: 199.255.192.14

--CONFIG-- [con010c] Filesystem 'devtmpfs' used by 'none' is not recognised as a valid filesystem
A few things bother me about this:
* Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
* the email subject appears to be some kind of improperly evaluated shell command
* I don't know what to make of the message being sent.

Have I configured something improperly?
 
Old 08-03-2011, 12:00 PM   #54
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Code:
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service sieve is also assigned to service
         cisco-sccp. 
--WARN-- [inet003w] The port for service ndtp is also assigned to service
         pipe_server.
--WARN-- [inet003w] The port for service ndtp is also assigned to service
         search.
--WARN-- [inet003w] The port for service postgres is also assigned to service
         postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
         postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
         sane-port.
--WARN-- [inet003w] The port for service webcache is also assigned to service
         http-alt.
--WARN-- [inet003w] The port for service webcache is also assigned to service
         http-alt.
OK I've been looking at /etc/services and I am still trying to understand what the problem is here and how to fix it. Could you help me understand the different between the ok aliases and the real problem ones? I'm guessing this is a problem:
Code:
$ sudo cat /etc/services | grep 2010
search		2010/tcp	ndtp
pipe_server	2010/tcp
We have two distinctly named services assigned the same port/protocol without any sort of alias connecting them. Is this really a threat?
 
Old 08-03-2011, 08:09 PM   #55
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,139
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by sneakyimp View Post
Code:
$ sudo readlink -f /lib/udev/devices/sndstat
no result!!! Delete it? rename?
Part of udev package. Best leave it be.


Quote:
Originally Posted by sneakyimp View Post
Code:
$ sudo readlink -f /usr/lib/tiger/systems/Linux/issue.net
/etc/tiger/issue.net
$ sudo dpkg -S /usr/lib/tiger/systems/Linux/issue.net
tiger: /usr/lib/tiger/systems/Linux/issue.net
definitely need this what to do about the symlink? just delete?
In the Tiger source systems/Linux/2/config, scripts/check_network and /scripts/check_issue reference "/etc/issue.net" but this seems an odd location. May be a Ubuntu or Debian addition. Dunno.


Quote:
Originally Posted by sneakyimp View Post
Code:
$ sudo readlink -f /usr/share/doc/bash/completion-contrib
/usr/share/doc/bash-completion/contrib
$ dpkg -S /usr/share/doc/bash/completion-contrib
bash-completion: /usr/share/doc/bash/completion-contrib
$ sudo apt-cache depends bash-completion
bash-completion
  Depends: bash
  Replaces: bash
$ sudo apt-cache rdepends bash-completion
i think i need this too. delete symlink? rename?
If you think you need it them by all means re-link it to the right location.


Quote:
Originally Posted by sneakyimp View Post
Code:
$ sudo readlink -f /usr/share/man/man5/modprobe.d.5
/usr/share/man/modprobe.conf.5
$ dpkg -S /usr/share/man/man5/modprobe.d.5
module-init-tools: /usr/share/man/man5/modprobe.d.5
Hm. delete symlink? rename and hope nothing breaks?
Should be "/usr/share/man/man5/modprobe.d.5.gz" I think.

Either way these symlinks aren't that problematic, just file system lint ('man fslint').


Quote:
Originally Posted by sneakyimp View Post
Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
Your observation is not supported by crontab entries, maillog excerpts or email headers.


Quote:
Originally Posted by sneakyimp View Post
the email subject appears to be some kind of improperly evaluated shell command
May be due to the cronjob itself. Could output to report file instead and if size is not zero email the file with the appropriate 'mail' command. BTW I don't run Tiger as a hourly cronjob. I only use it for an initial baseline and run it manually after say major changes.


Quote:
Originally Posted by sneakyimp View Post
I don't know what to make of the message being sent.
I explained how to interweave explanations in tiger reporting and besides that "tiger -E" just grabs parts from Tigers doc/ dir contents which you could grep recursively for the listed code.


Quote:
Originally Posted by sneakyimp View Post
Is this really a threat?
Both http://www.iana.org/assignments/port-numbers and http://www.freebsd.org/cgi/cvsweb.cg...e=text%2Fplain read:
Code:
search		2010/tcp
pipe_server	2010/udp
so the /etc/services file is wrong. The /etc/services "database" is used to resolve (which you usually should avoid using "-n") mappings. For example if you change "ssh 22/tcp" to read "syslog 22/tcp" then if you run sshd the 'netstat -alt' output would show "syslog" running in the address columns. It's not a threat.

Last edited by unSpawn; 08-03-2011 at 08:21 PM. Reason: //Less *is* more
 
Old 08-04-2011, 11:35 AM   #56
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Quote:
Originally Posted by sneakyimp View Post
I keep getting notifications from tiger's cron job that are arriving VERY erratically:
(...)
A few things bother me about this:
* Erratic timing. Seems to be due to an hourly cron job but I've only received it at 10pm last night, 1 am this morning, 9 am this morning, etc.
* the email subject appears to be some kind of improperly evaluated shell command
* I don't know what to make of the message being sent.

Have I configured something improperly?
The email above appears to be the result of this cron job in /etc/cron.d/tiger:
Code:
#
# Regular cron jobs for the tiger package
#
# Configuration file
DEFAULT=/etc/default/tiger
#  default setting, overriden in the above file
NICETIGER=10
#
0 * * * *      root    test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
The error code in the email, con010c, is nowhere to be found in any of the explanation docs in /var/log/tiger nor in any logs there.

Here is every single mail log entry from "today" on the server. The server is set to UTC time which is a pain when trying to connect mail log dates to local arrival times for my incoming email, but I believe each of these 4 messages corresponds to one of these weird tiger cron jobs -- including one that just arrived as I was creating this post:
Code:
Aug  4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[6684]: B8CBB72132: uid=0 from=<root>
Aug  4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[8616]: B8CBB72132: message-id=<20110804000004.B8CBB72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug  4 00:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: B8CBB72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug  4 00:00:05 ip-WWW-XXX-YYY-ZZZ postfix/pipe[8618]: B8CBB72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.9, delays=3.1/0.01/0/0.74, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug  4 00:00:05 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: B8CBB72132: removed
Aug  4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/pickup[8630]: 7FF91721A6: uid=0 from=<root>
Aug  4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[31301]: 7FF91721A6: message-id=<20110804020003.7FF91721A6@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug  4 02:00:03 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 7FF91721A6: from=<root@mydomain.com>, size=591, nrcpt=1 (queue active)
Aug  4 02:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pipe[31308]: 7FF91721A6: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=0.68, delays=0.04/0.01/0/0.64, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug  4 02:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 7FF91721A6: removed
Aug  4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/pickup[31434]: D238A72132: uid=0 from=<root>
Aug  4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[32499]: D238A72132: message-id=<20110804050002.D238A72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug  4 05:00:02 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D238A72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug  4 05:00:03 ip-WWW-XXX-YYY-ZZZ postfix/pipe[32501]: D238A72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=1.1, delays=0.18/0.01/0/0.95, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug  4 05:00:03 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D238A72132: removed
Aug  4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[492]: 3AD2572132: uid=0 from=<root>
Aug  4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[2307]: 3AD2572132: message-id=<20110804080004.3AD2572132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug  4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 3AD2572132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug  4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pipe[2309]: 3AD2572132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.6, delays=2.9/0.01/0/0.72, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug  4 08:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: 3AD2572132: removed
Aug  4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/pickup[3339]: D3B2A72132: uid=0 from=<root>
Aug  4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/cleanup[5204]: D3B2A72132: message-id=<20110804160004.D3B2A72132@ip-WWW-XXX-YYY-ZZZ.mydomain.com>
Aug  4 16:00:04 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D3B2A72132: from=<root@mydomain.com>, size=792, nrcpt=1 (queue active)
Aug  4 16:00:05 ip-WWW-XXX-YYY-ZZZ postfix/pipe[5206]: D3B2A72132: to=<root@mydomain.com>, orig_to=<root>, relay=aws-email, delay=3.6, delays=3/0.01/0/0.6, dsn=2.0.0, status=sent (delivered via aws-email service)
Aug  4 16:00:05 ip-WWW-XXX-YYY-ZZZ postfix/qmgr[6461]: D3B2A72132: removed
Here's a complete email -- the latest one (with domains and incriminating IPs redacted):
Code:
                                                                                                                                                                                                                                                               
Delivered-To: root@mydomain.com
Received: by 10.42.2.201 with SMTP id 9cs154136icl;
        Thu, 4 Aug 2011 09:00:08 -0700 (PDT)
Received: by 10.224.201.194 with SMTP id fb2mr762848qab.208.1312473607760;
        Thu, 04 Aug 2011 09:00:07 -0700 (PDT)
Return-Path: <000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com>
Received: from a192-14.smtp-out.amazonses.com (a192-14.smtp-out.amazonses.com [199.255.192.14])
        by mx.google.com with ESMTP id fi1si4410526qab.32.2011.08.04.09.00.06;
        Thu, 04 Aug 2011 09:00:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com designates 199.255.192.14 as permitted sender) client-ip=199.255.192.14;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com designates 199.255.192.14 as permitted sender) smtp.mail=000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com
Return-Path: 000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email-bounces.amazonses.com
From: root@mydomain.com (Cron Daemon)
To: root@mydomain.com
Subject: Cron <root@ip-WWW-XXX-YYY-ZZZ>    test -x /usr/sbin/tigercron && { [ -r "$DEFAULT" ] && . "$DEFAULT" ; nice -n$NICETIGER /usr/sbin/tigercron -q ; }
Content-Type: text/plain; charset=ANSI_X3.4-1968
X-Cron-Env: <DEFAULT=/etc/default/tiger>
X-Cron-Env: <NICETIGER=10>
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <000001319585e423-d10c94f7-c316-400a-a89b-af00d42ddcc1-000000@email.amazonses.com>
Date: Thu, 4 Aug 2011 16:00:05 +0000
X-AWS-Outgoing: 199.255.192.14

--CONFIG-- [con010c] Filesystem 'devtmpfs' used by 'none' is not recognised as a valid filesystem
Quote:
Originally Posted by unSpawn
I explained how to interweave explanations in tiger reporting and besides that "tiger -E" just grabs parts from Tigers doc/ dir contents which you could grep recursively for the listed code.
That particular error code doesn't exist in any explanation logs in /var/log/tiger. I've tried looking in the script /usr/sbin/tigercron, but I can't locate any place to put an -e or -E flag in there.

Ultimately, I'm most keen to understand what kind of problem this is reporting and whether it needs fixing and, if so, how to fix it. I did a google search on the error string and it looks like some people are treating it as a bug.

As for the wonky symlinks, it doesn't sound from your post as though you consider them to be any sort of threat. I have no desire to fix them unless they are going to interfere with my server's proper functioning. How about I just leave them alone? Ditto for the /etc/services file. Maybe I could notify a developer or package maintainer somehwere? File a bug report?

Some good news: Finally worked out the postfix configuration to my liking. Also have samhain playing nice with email. Hoping to complete install of fail2ban today.
 
Old 08-04-2011, 12:49 PM   #57
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
Code:
# Performing check of PATH components...
--WARN-- [path009w] /etc/profile does not export an initial setting for PATH.
Quote:
Originally Posted by unSpawn View Post
Documentation. See https://help.ubuntu.com/community/EnvironmentVariables (Ubuntu: /etc/environment).
I'm somewhat familiar with environment variables. The Ubuntu docs you link list /etc/profile immediately under the words "not recommended." I've been googling around for path009w and see a lot of people asking about this particular complaint but I haven't found a solution anywhere. There is a file mentioned in the Ubuntu docs, /etc/environment. which does in fact contain a PATH variable. I'm wondering if the tiger complaint is applicable on an ubuntu system?
 
Old 08-04-2011, 01:16 PM   #58
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I want to understand the goal for these tiger complaints:
[code]
# Checking for correct umask settings for init scripts...
--WARN-- [misc021w] There are no umask entries in /etc/init.d/rcS
# Checking for correct umask settings for user login shells...
--WARN-- [misc026w] There is no default umask settings for user login shells
in /etc/login.defs
[code]
It's to insure a umask of 022 for services and one of 027 for human users?
 
Old 08-05-2011, 07:32 PM   #59
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I'm hoping to install a few more packages
* fail2ban - Because this program monitors logs, I'm thinking I should try to install FTP or SFTP first in the hope that the fail2ban package installer will automatically locate the ftp files and configure itself to watch them.
* sftp - we'll need a file transfer program to maintain the website assets. I'm accustomed to installing protfpd or vsftpd but am hoping to make sure that all FTP connections are encrypted. Is that sftp? or ftp-over-ssl ?
* chkrootkit - this was apparently installed with tiger but you instructed me to run it separately. Any additional configuration detail for this would be most helpful.
 
Old 08-05-2011, 09:36 PM   #60
sneakyimp
Member
 
Registered: Dec 2004
Posts: 795

Original Poster
Rep: Reputation: 50
I went ahead and installed fail2ban. I've checked out the config and it looks straightforward. I've tested it and it is working.
 
  


Reply

Tags
hardening, lamp, ubuntu


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this a compromised machine. jovie Linux - Security 1 03-14-2007 04:18 AM
Configuring a transparent proxy on a client machine ONLY instead of a server machine. clinux_rulz Linux - Networking 1 05-31-2006 02:53 AM
Machine compromised, now have ports opened tvn Fedora 1 09-13-2005 05:30 PM
Compromised machine delling81 Linux - Security 3 04-05-2005 10:20 PM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 01:31 PM


All times are GMT -5. The time now is 07:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration