LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-05-2011, 12:06 AM   #1
wolfv
LQ Newbie
 
Registered: Feb 2010
Posts: 8

Rep: Reputation: 1
Question TIGER scan security report --FAIL--


I ran TIGER scan on my Ubuntu 11.04. Are any of the following --FAIL-- something to get concerned about?
Code:
$ sudo grep FAIL /var/log/tiger/security.report.sandy.110904-20:43
--FAIL-- [lin016f] The system permits source routing from incoming packets 
--FAIL-- [lin019f] The system does not have any local firewall rules 
--FAIL-- [dev002f] /dev/fuse has world permissions 
--FAIL-- [dev002f] /dev/rfkill has world permissions 
--FAIL-- [logf007f] Log file /var/log/messages does not exist 
--FAIL-- [ssh005w] Cannot find a configuration file for SSH. 
--FAIL-- [netw020f] There is no /etc/ftpusers file.
Thank you for looking at this.
 
Old 09-05-2011, 01:18 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by wolfv View Post
Are any of the following --FAIL-- something to get concerned about?
Depends on the location in the network of the device / system (like isolated LAN vs 'net-facing), its purpose (like services) and what the distribution supplies as defaults (as in default firewall rules vs figure-out-ufw-yourself). Note you can also play with Tigers -e / -E flags wrt having explanations for your report.
 
Old 09-05-2011, 03:33 AM   #3
wolfv
LQ Newbie
 
Registered: Feb 2010
Posts: 8

Original Poster
Rep: Reputation: 1
Post

Thanks unSpawn.

This is an ordinary desktop home-PC connected to the Internet via DSL modem. The Ubuntu 11.04 configuration is mostly default. I just want to make it secure for banking online. The relevant parts of the explanation report is below.

sudo tiger -E
...

sudo grep FAIL /var/log/tiger/security.report.sandy.110905-00:47
--FAIL-- [lin016f] The system permits source routing from incoming packets
--FAIL-- [lin019f] The system does not have any local firewall rules
--FAIL-- [dev002f] /dev/fuse has world permissions
--FAIL-- [dev002f] /dev/rfkill has world permissions
--FAIL-- [logf007f] Log file /var/log/messages does not exist
--FAIL-- [ssh005w] Cannot find a configuration file for SSH.
--FAIL-- [netw020f] There is no /etc/ftpusers file.

sudo more /var/log/tiger/explain.report.sandy.110905-00:47
Message ID: dev002f
Devices that have improper (world) permissions might be accessed by any
system user. This might open security holes if these are shared devices
or hold binaries (disks for example). The administrator should properly
set device access (using group configuration to provide access to a
device to multiple users, for example).

Message ID: lin016f
Source routing might permit an attacker to send packets through your
host (if routing is enabled) to other hosts without following your
network topology setup. It should be enabled only under very special
circumstances or otherwise an attacker could try to bypass the traffic
filtering that is done on the network:
# sysctl -w net.ipv4.conf.all.accept_source_route = 0
and:
# sysctl -w net.ipv4.conf.default.accept_source_route = 0

Message ID: lin019f
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs. There are multiple firewall generation
software you can use to generate these (such as Bastille, Shorewall,
Firestarter, or Knetfiler). Local firewall rules can be used to block
undesired incoming and outgoing traffic and can be useful to prevent
access to network services that are listening on all system interfaces,
only want to be used from specific hosts (or interfaces) and lack
capabilities to either restrict its use to specific local network
IP addresses or hosts. If the system is multi-home a local firewall
configuration will prevent spoofing attacks due to "weak end host" issues.

Message ID: logf007f
The log file "messages" should exist to show a trace of the system
logs (including reboots and kernel messages), it is also often used by
the syslog daemon to log information. The contents of the "messages"
logfile depends upon the configuration of the syslog.conf and varies by
distribution and/or system administrator preference. It might not exist
if you have configured your system to use a different file for logging
or if an intruder has tried to cover his tracks by removing it since
the messages file might contain bad login attempts from local users and
remote hosts.

Message ID: netw020f
There is no ftpusers configuration file. In some systems this might
enable all administrative users (low UID) to access the local FTP server
if it is enabled (some other systems might deprecate its use). It is
recommended that administrative users are added into /etc/ftpusers if
you have a FTP server installed.

Message ID: ssh005w
Can not find explanation for message-id ssh005w

Last edited by wolfv; 09-05-2011 at 03:35 AM.
 
Old 09-05-2011, 02:02 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by wolfv View Post
The relevant parts of the explanation report is below.
Having explanations actually was a hint for you to inspect your system and change configuration where necessary or dismiss warnings for services that don't exist.


Quote:
Originally Posted by wolfv View Post
Message ID: dev002f
Devices that have improper (world) permissions might be accessed by any
system user. This might open security holes if these are shared devices
or hold binaries (disks for example). The administrator should properly
set device access (using group configuration to provide access to a
device to multiple users, for example).
AFAIK the device should be owner root. The group name depends on what group FUSE users are in.


Quote:
Originally Posted by wolfv View Post
Message ID: lin016f
Apply the sysctls offered?


Quote:
Originally Posted by wolfv View Post
Message ID: lin019f
The system has no firewalling rules in place to limit access to network
services and protocols. Considering configuring a set of local firewall
rules adapted to your needs.
This explanation should be clear. AFAIK Ubuntu installs an iptables frontend called 'ufw' by default, else just use 'iptables'. Searching this forum for "iptables" should give you enough to start reading should you have questions about rule sets. Running without firewall is not advisable. Some may use hiding behind a NAT router as mitigating circumstance but that can be countered easily talking about single point of failure scenarios.


Quote:
Originally Posted by wolfv View Post
Message ID: logf007f
(..) The contents of the "messages" logfile depends upon the
configuration of the syslog.conf and varies by distribution
and/or system administrator preference.
Check /etc/syslog.conf to determine what Ubuntu / Debian uses as default.


Quote:
Originally Posted by wolfv View Post
Message ID: netw020f
There is no ftpusers configuration file.
Depends on if you have a FTP daemon installed.


Quote:
Originally Posted by wolfv View Post
Message ID: ssh005w
Can not find explanation for message-id ssh005w
Tiger, if the SSHD_CONFIG variable is not defined, searches for /usr/local/etc/sshd_config, /etc/sshd_config, /etc/ssh2/sshd2_config or /etc/ssh/sshd_config. Of course if OpenSSH isn't installed this is no issue.
 
Old 09-05-2011, 07:38 PM   #5
wolfv
LQ Newbie
 
Registered: Feb 2010
Posts: 8

Original Poster
Rep: Reputation: 1
UnSpawn,

I have come the realization that Unix security is over my head. I just wanted secure on-line banking. I do appreciate you explaining so much.

In your opinion, which is more secure for on-line banking:
  • Windows 7 with an anti-virus and default configurations
  • Ubuntu 10.04 with default configurations

Last edited by wolfv; 09-05-2011 at 07:40 PM.
 
Old 09-06-2011, 01:31 PM   #6
SeRi@lDiE
Member
 
Registered: Jun 2006
Location: /dev/null
Distribution: Slackware 13.1, Slackware 13.37, aptosid, rhel
Posts: 538
Blog Entries: 7

Rep: Reputation: 54
Quote:
Originally Posted by wolfv View Post
UnSpawn,

I have come the realization that Unix security is over my head. I just wanted secure on-line banking. I do appreciate you explaining so much.

In your opinion, which is more secure for on-line banking:
  • Windows 7 with an anti-virus and default configurations
  • Ubuntu 10.04 with default configurations
IMO, Nether.
Security starts with the user. If you are not security conscious than both systems can be compromise at any time.
 
Old 09-08-2011, 03:39 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by SeRi@lDiE View Post
Security starts with the user.
I agree with that but I do not agree with this:
Quote:
Originally Posted by SeRi@lDiE View Post
IMO, Nether.
and there's a few reasons for that among which are architecture (like separation of privileges), integration (the way applications are interwoven with the OS) and what a default installation provides (or not). With a default installation of a recent desktop version of MICROS~1 it should have between thirty and fifty services enabled by default. If the firewall is enabled it will still, according to connection profiles, allow access to certain services. A default Ubuntu desktop installation should show no services installed that allow access certain services and if the firewall is not installed by default then a 'sudo apt-get install ufw; sudo ufw default deny; sudo ufw enable' will mitigate this and block access to any service even if it would allow inbound connections. And having one library effectively crippling the OS is not possible with Linux (well, it's not impossible but as there's no direct exposure there's no direct avenue of attack) but with the Other OS it has been. That said these days compromises are so much more than security breaches on the OS level and if you look at CVEs then I'd still maintain MICROS~1 always has and still has a larger attack surface than Linux.
 
Old 09-08-2011, 08:51 PM   #8
SeRi@lDiE
Member
 
Registered: Jun 2006
Location: /dev/null
Distribution: Slackware 13.1, Slackware 13.37, aptosid, rhel
Posts: 538
Blog Entries: 7

Rep: Reputation: 54
Quote:
Originally Posted by unSpawn View Post
I agree with that but I do not agree with this:

and there's a few reasons for that among which are architecture (like separation of privileges), integration (the way applications are interwoven with the OS) and what a default installation provides (or not). With a default installation of a recent desktop version of MICROS~1 it should have between thirty and fifty services enabled by default. If the firewall is enabled it will still, according to connection profiles, allow access to certain services. A default Ubuntu desktop installation should show no services installed that allow access certain services and if the firewall is not installed by default then a 'sudo apt-get install ufw; sudo ufw default deny; sudo ufw enable' will mitigate this and block access to any service even if it would allow inbound connections. And having one library effectively crippling the OS is not possible with Linux (well, it's not impossible but as there's no direct exposure there's no direct avenue of attack) but with the Other OS it has been. That said these days compromises are so much more than security breaches on the OS level and if you look at CVEs then I'd still maintain MICROS~1 always has and still has a larger attack surface than Linux.
I agree. Though I do stand by my statement.... while one os is stronger than the other if the user has no clue what he or she is doing the os will just be compromise as fast if not faster than any other os. Times record at work was a default linux setup with a tmp password of "maria" it got hacked in 10min of been in the network.
 
  


Reply

Tags
fail, report, security, tiger


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Tiger checks Ubuntu get fail message root directory owned by user argh2xxx Linux - Security 2 10-20-2008 10:33 AM
What does "message capability" mean? (as used in tiger report) marting Linux - Server 1 10-06-2008 12:54 PM
How to resolve tiger --FAIL-- cizzi Linux - Security 1 02-16-2008 06:19 PM
Ubuntu tiger scan? subjazz Linux - Security 5 02-25-2006 02:56 PM
tiger report ? divukman Linux - Security 1 02-24-2006 05:23 AM


All times are GMT -5. The time now is 12:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration