LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   TIGER scan security report --FAIL-- (http://www.linuxquestions.org/questions/linux-security-4/tiger-scan-security-report-fail-901144/)

wolfv 09-04-2011 11:06 PM

TIGER scan security report --FAIL--
 
I ran TIGER scan on my Ubuntu 11.04. Are any of the following --FAIL-- something to get concerned about?
Code:

$ sudo grep FAIL /var/log/tiger/security.report.sandy.110904-20:43
--FAIL-- [lin016f] The system permits source routing from incoming packets
--FAIL-- [lin019f] The system does not have any local firewall rules
--FAIL-- [dev002f] /dev/fuse has world permissions
--FAIL-- [dev002f] /dev/rfkill has world permissions
--FAIL-- [logf007f] Log file /var/log/messages does not exist
--FAIL-- [ssh005w] Cannot find a configuration file for SSH.
--FAIL-- [netw020f] There is no /etc/ftpusers file.

Thank you for looking at this.

unSpawn 09-05-2011 12:18 AM

Quote:

Originally Posted by wolfv (Post 4461647)
Are any of the following --FAIL-- something to get concerned about?

Depends on the location in the network of the device / system (like isolated LAN vs 'net-facing), its purpose (like services) and what the distribution supplies as defaults (as in default firewall rules vs figure-out-ufw-yourself). Note you can also play with Tigers -e / -E flags wrt having explanations for your report.

wolfv 09-05-2011 02:33 AM

Thanks unSpawn.

This is an ordinary desktop home-PC connected to the Internet via DSL modem. The Ubuntu 11.04 configuration is mostly default. I just want to make it secure for banking online. The relevant parts of the explanation report is below.

sudo tiger -E
...

sudo grep FAIL /var/log/tiger/security.report.sandy.110905-00:47
--FAIL-- [lin016f] The system permits source routing from incoming packets
--FAIL-- [lin019f] The system does not have any local firewall rules
--FAIL-- [dev002f] /dev/fuse has world permissions
--FAIL-- [dev002f] /dev/rfkill has world permissions
--FAIL-- [logf007f] Log file /var/log/messages does not exist
--FAIL-- [ssh005w] Cannot find a configuration file for SSH.
--FAIL-- [netw020f] There is no /etc/ftpusers file.

sudo more /var/log/tiger/explain.report.sandy.110905-00:47
Message ID: dev002f
Devices that have improper (world) permissions might be accessed by any
system user. This might open security holes if these are shared devices
or hold binaries (disks for example). The administrator should properly
set device access (using group configuration to provide access to a
device to multiple users, for example).

Message ID: lin016f
Source routing might permit an attacker to send packets through your
host (if routing is enabled) to other hosts without following your
network topology setup. It should be enabled only under very special
circumstances or otherwise an attacker could try to bypass the traffic
filtering that is done on the network:
# sysctl -w net.ipv4.conf.all.accept_source_route = 0
and:
# sysctl -w net.ipv4.conf.default.accept_source_route = 0

Message ID: lin019f
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs. There are multiple firewall generation
software you can use to generate these (such as Bastille, Shorewall,
Firestarter, or Knetfiler). Local firewall rules can be used to block
undesired incoming and outgoing traffic and can be useful to prevent
access to network services that are listening on all system interfaces,
only want to be used from specific hosts (or interfaces) and lack
capabilities to either restrict its use to specific local network
IP addresses or hosts. If the system is multi-home a local firewall
configuration will prevent spoofing attacks due to "weak end host" issues.

Message ID: logf007f
The log file "messages" should exist to show a trace of the system
logs (including reboots and kernel messages), it is also often used by
the syslog daemon to log information. The contents of the "messages"
logfile depends upon the configuration of the syslog.conf and varies by
distribution and/or system administrator preference. It might not exist
if you have configured your system to use a different file for logging
or if an intruder has tried to cover his tracks by removing it since
the messages file might contain bad login attempts from local users and
remote hosts.

Message ID: netw020f
There is no ftpusers configuration file. In some systems this might
enable all administrative users (low UID) to access the local FTP server
if it is enabled (some other systems might deprecate its use). It is
recommended that administrative users are added into /etc/ftpusers if
you have a FTP server installed.

Message ID: ssh005w
Can not find explanation for message-id ssh005w

unSpawn 09-05-2011 01:02 PM

Quote:

Originally Posted by wolfv (Post 4461772)
The relevant parts of the explanation report is below.

Having explanations actually was a hint for you to inspect your system and change configuration where necessary or dismiss warnings for services that don't exist.


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: dev002f
Devices that have improper (world) permissions might be accessed by any
system user. This might open security holes if these are shared devices
or hold binaries (disks for example). The administrator should properly
set device access (using group configuration to provide access to a
device to multiple users, for example).

AFAIK the device should be owner root. The group name depends on what group FUSE users are in.


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: lin016f

Apply the sysctls offered?


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: lin019f
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs.

This explanation should be clear. AFAIK Ubuntu installs an iptables frontend called 'ufw' by default, else just use 'iptables'. Searching this forum for "iptables" should give you enough to start reading should you have questions about rule sets. Running without firewall is not advisable. Some may use hiding behind a NAT router as mitigating circumstance but that can be countered easily talking about single point of failure scenarios.


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: logf007f
(..) The contents of the "messages" logfile depends upon the
configuration of the syslog.conf and varies by distribution
and/or system administrator preference.

Check /etc/syslog.conf to determine what Ubuntu / Debian uses as default.


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: netw020f
There is no ftpusers configuration file.

Depends on if you have a FTP daemon installed.


Quote:

Originally Posted by wolfv (Post 4461772)
Message ID: ssh005w
Can not find explanation for message-id ssh005w

Tiger, if the SSHD_CONFIG variable is not defined, searches for /usr/local/etc/sshd_config, /etc/sshd_config, /etc/ssh2/sshd2_config or /etc/ssh/sshd_config. Of course if OpenSSH isn't installed this is no issue.

wolfv 09-05-2011 06:38 PM

UnSpawn,

I have come the realization that Unix security is over my head. :( I just wanted secure on-line banking. I do appreciate you explaining so much.

In your opinion, which is more secure for on-line banking:
  • Windows 7 with an anti-virus and default configurations
  • Ubuntu 10.04 with default configurations

SeRi@lDiE 09-06-2011 12:31 PM

Quote:

Originally Posted by wolfv (Post 4462397)
UnSpawn,

I have come the realization that Unix security is over my head. :( I just wanted secure on-line banking. I do appreciate you explaining so much.

In your opinion, which is more secure for on-line banking:
  • Windows 7 with an anti-virus and default configurations
  • Ubuntu 10.04 with default configurations

IMO, Nether.
Security starts with the user. If you are not security conscious than both systems can be compromise at any time.

unSpawn 09-08-2011 02:39 AM

Quote:

Originally Posted by SeRi@lDiE (Post 4463106)
Security starts with the user.

I agree with that but I do not agree with this:
Quote:

Originally Posted by SeRi@lDiE (Post 4463106)
IMO, Nether.

and there's a few reasons for that among which are architecture (like separation of privileges), integration (the way applications are interwoven with the OS) and what a default installation provides (or not). With a default installation of a recent desktop version of MICROS~1 it should have between thirty and fifty services enabled by default. If the firewall is enabled it will still, according to connection profiles, allow access to certain services. A default Ubuntu desktop installation should show no services installed that allow access certain services and if the firewall is not installed by default then a 'sudo apt-get install ufw; sudo ufw default deny; sudo ufw enable' will mitigate this and block access to any service even if it would allow inbound connections. And having one library effectively crippling the OS is not possible with Linux (well, it's not impossible but as there's no direct exposure there's no direct avenue of attack) but with the Other OS it has been. That said these days compromises are so much more than security breaches on the OS level and if you look at CVEs then I'd still maintain MICROS~1 always has and still has a larger attack surface than Linux.

SeRi@lDiE 09-08-2011 07:51 PM

Quote:

Originally Posted by unSpawn (Post 4465035)
I agree with that but I do not agree with this:

and there's a few reasons for that among which are architecture (like separation of privileges), integration (the way applications are interwoven with the OS) and what a default installation provides (or not). With a default installation of a recent desktop version of MICROS~1 it should have between thirty and fifty services enabled by default. If the firewall is enabled it will still, according to connection profiles, allow access to certain services. A default Ubuntu desktop installation should show no services installed that allow access certain services and if the firewall is not installed by default then a 'sudo apt-get install ufw; sudo ufw default deny; sudo ufw enable' will mitigate this and block access to any service even if it would allow inbound connections. And having one library effectively crippling the OS is not possible with Linux (well, it's not impossible but as there's no direct exposure there's no direct avenue of attack) but with the Other OS it has been. That said these days compromises are so much more than security breaches on the OS level and if you look at CVEs then I'd still maintain MICROS~1 always has and still has a larger attack surface than Linux.

I agree. Though I do stand by my statement.... while one os is stronger than the other if the user has no clue what he or she is doing the os will just be compromise as fast if not faster than any other os. Times record at work was a default linux setup with a tmp password of "maria" it got hacked in 10min of been in the network.


All times are GMT -5. The time now is 10:41 PM.