LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Ubuntu tiger scan? (http://www.linuxquestions.org/questions/linux-security-4/ubuntu-tiger-scan-418915/)

subjazz 02-23-2006 08:26 PM

Ubuntu tiger scan?
 
Is the following really something to get concerned about? Would it be necessary to disable ICMP?I get a similar reading on Sarge.

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.
>>>>>> Linux 2.4.17

The entire scan:

Ubuntu Breezy Badger tiger scan

Security scripts *** 3.2.1, 2003.10.10.18.00 ***
Wed Feb 22 16:18:38 PST 2006
16:18> Beginning security report for debian.rdsl.lmi.net (GNU/Linux Linux 2.6.12-9-686).

# Performing check of passwd files...
# Checking entries from /etc/passwd.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.
--WARN-- [pass016w] User cupsys has / as home directory
--WARN-- [pass014w] Login (fetchmail) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (list) is disabled, but has a valid shell.
--WARN-- [pass014w] Login (nobody) is disabled, but has a valid shell.
--WARN-- [pass012w] Home directory /nonexistent exists multiple times (2) in
/etc/passwd.
--WARN-- [pass006w] Integrity of password files questionable (/usr/sbin/pwck
-r).

# Performing check of group files...

# Performing check of user accounts...
# Checking accounts from /etc/passwd.
--WARN-- [acc006w] Login ID gdm's home directory (/var/lib/gdm) has group
`gdm' write access.
--WARN-- [acc022w] Login ID nobody home directory (/nonexistent) is not
accessible.

# Performing check of /etc/hosts.equiv and .rhosts files...

# Checking accounts from /etc/passwd...

# Performing check of .netrc files...

# Checking accounts from /etc/passwd...

# Performing common access checks for root (in /etc/default/login, /securetty, and /etc/ttytab...
--WARN-- [root003w] Root user has message capability turned on.

# Performing check of PATH components...
# Only checking user 'root'

# Performing check of anonymous FTP...

# Performing checks of mail aliases...
# Checking aliases from /etc/aliases.

# Performing check of `cron' entries...
--WARN-- [cron004w] Root crontab does not exist
--WARN-- [cron005w] Use of cron is not restricted

# Performing check of 'services' ...
# Checking services from /etc/services.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service postgres is also assigned to service
postgresql.
--WARN-- [inet003w] The port for service sane is also assigned to service
sane-port.

# Performing NFS exports check...

# Performing check of system file permissions...

# Performing signature check of system binaries...
--WARN-- [sig004w] None of the following versions of /bin/bash (-rwxr-xr-x)
matched the /bin/bash on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/login (-rwxr-xr-x)
matched the /bin/login on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ls (-rwxr-xr-x)
matched the /bin/ls on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/mount (-rwsr-xr-x)
matched the /bin/mount on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/netstat (-rwxr-xr-x)
matched the /bin/netstat on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ping (-rwsr-xr-x)
matched the /bin/ping on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/ps (-rwxr-xr-x)
matched the /bin/ps on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/su (-rwsr-xr-x)
matched the /bin/su on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /bin/umount (-rwsr-xr-x)
matched the /bin/umount on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /sbin/cardctl
(-rwsr-xr-x) matched the /sbin/cardctl on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/at (-r-sr-sr-x)
matched the /usr/bin/at on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chage
(-rwxr-sr-x) matched the /usr/bin/chage on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chfn
(-rwsr-xr-x) matched the /usr/bin/chfn on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/chsh
(-rwsr-xr-x) matched the /usr/bin/chsh on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/crontab
(-rwxr-sr-x) matched the /usr/bin/crontab on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/gpasswd
(-rwsr-xr-x) matched the /usr/bin/gpasswd on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lockfile
(-rwxr-sr-x) matched the /usr/bin/lockfile on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lpq (-rwxr-xr-x)
matched the /usr/bin/lpq on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lpr (-rwxr-xr-x)
matched the /usr/bin/lpr on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/lprm
(-rwxr-xr-x) matched the /usr/bin/lprm on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/newgrp
(-rwsr-xr-x) matched the /usr/bin/newgrp on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
(-rwsr-xr-x) matched the /usr/bin/passwd on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/procmail
(-rwxr-sr-x) matched the /usr/bin/procmail on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/screen
(-rwxr-sr-x) matched the /usr/bin/screen on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/ssh (-rwxr-xr-x)
matched the /usr/bin/ssh on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/wall
(-rwxr-sr-x) matched the /usr/bin/wall on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/write
(lrwxrwxrwx) matched the /usr/bin/write on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/bin/xscreensaver
(-rwxr-xr-x) matched the /usr/bin/xscreensaver on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/lpc
(-rwxr-xr-x) matched the /usr/sbin/lpc on this machine.
>>>>>> Linux 2.4.17

--WARN-- [sig004w] None of the following versions of /usr/sbin/tcpd
(-rwxr-xr-x) matched the /usr/sbin/tcpd on this machine.
>>>>>> Linux 2.4.17


# Checking for known intrusion signs...
# Testing for promiscuous interfaces with /bin/ip
# Testing for backdoors in inetd.conf

# Performing check of files in system mail spool...

# Performing check for rookits...

# Performing system specific checks...
# Performing checks for Linux/2...

# Checking for single user-mode password...

# Checking boot loader file permissions...
--WARN-- [boot02] The configuration file /boot/grub/menu.lst has group
permissions. Should be 0600
--FAIL-- [boot02] The configuration file /boot/grub/menu.lst has world
permissions. Should be 0600
--WARN-- [boot06] The Grub bootloader does not have a password configured.

# Checking for vulnerabilities in inittab configuration...
--FAIL-- [lin007w] Normal users can reboot the system through ctrl+alt+del in
runlevels 12345

# Checking for correct umask settings for init scripts...

# Checking Logins not used on the system ...

# Checking network configuration
--FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--FAIL-- [lin016f] The system permits source routing from incoming packets
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
--FAIL-- [lin019f] The system does not have any local firewall rules
configured

# Verifying system specific password checks...
--WARN-- [pass19w] Login ID root does not have password aging enabled.
--WARN-- [pass19w] Login ID debian does not have password aging enabled.

# Checking OS release...
--WARN-- [osv004w] Unreleased Debian GNU/Linux version `testing/unstable'

# Checking installed packages vs Debian Security Advisories...

# Checking md5sums of installed files

# Checking installed files against packages...
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/nvidia.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fxusb.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fglrx.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcusb.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpcmcia_cs.ko'
does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpcmcia.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcpci.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusba.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusb2.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslusb.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslslusb.ko'
does not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdslsl.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdsl2.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/fcdsl.ko' does not
belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/ath_hal.ko' does
not belong to any package.
--WARN-- [lin001w] File `/lib/modules/2.6.12-9-686/volatile/.mounted' does not
belong to any package.

# Performing check of root directory...

# Checking device permissions...
--WARN-- [dev003w] The directory /dev/evms resides in a device directory.
--FAIL-- [dev002f] /dev/log has world permissions
--WARN-- [dev003w] The directory /dev/loop resides in a device directory.
--FAIL-- [dev002f] /dev/md0 has world permissions
--FAIL-- [dev002f] /dev/md1 has world permissions
--FAIL-- [dev002f] /dev/md10 has world permissions
--FAIL-- [dev002f] /dev/md11 has world permissions
--FAIL-- [dev002f] /dev/md12 has world permissions
--FAIL-- [dev002f] /dev/md13 has world permissions
--FAIL-- [dev002f] /dev/md14 has world permissions
--FAIL-- [dev002f] /dev/md15 has world permissions
--FAIL-- [dev002f] /dev/md16 has world permissions
--FAIL-- [dev002f] /dev/md17 has world permissions
--FAIL-- [dev002f] /dev/md18 has world permissions
--FAIL-- [dev002f] /dev/md19 has world permissions
--FAIL-- [dev002f] /dev/md2 has world permissions
--FAIL-- [dev002f] /dev/md20 has world permissions
--FAIL-- [dev002f] /dev/md21 has world permissions
--FAIL-- [dev002f] /dev/md22 has world permissions
--FAIL-- [dev002f] /dev/md23 has world permissions
--FAIL-- [dev002f] /dev/md24 has world permissions
--FAIL-- [dev002f] /dev/md3 has world permissions
--FAIL-- [dev002f] /dev/md4 has world permissions
--FAIL-- [dev002f] /dev/md5 has world permissions
--FAIL-- [dev002f] /dev/md6 has world permissions
--FAIL-- [dev002f] /dev/md7 has world permissions
--FAIL-- [dev002f] /dev/md8 has world permissions
--FAIL-- [dev002f] /dev/md9 has world permissions
--WARN-- [dev003w] The directory /dev/snd resides in a device directory.
--WARN-- [dev003w] File /dev/sndstat is a regular file in a device directory.

# Checking for existence of log files...
--FAIL-- [logf005f] Log file /var/log/btmp permission should be 660

# Checking for correct umask settings...

# Checking listening processes

# Checking sshd_config configuration files...
--FAIL-- [ssh005w] Cannot find a configuration file for SSH.

# Checking printer configuration files...
--ERROR-- [init006e] `/etc/printcap' does not exist (file src).
--ERROR-- [init006e] `/etc/printcap' does not exist (file infile).

# Performing common access checks for root...
--FAIL-- [netw020f] There is no /etc/ftpusers file.

# Checking ntpd configuration...

# Checking unusual file names...

# Looking for unusual device files...

# Checking symbolic links...

# Performing check of embedded pathnames...
16:21> Security report completed for debian.rdsl.lmi.net.

satinet 02-24-2006 04:47 AM

is this machine behind a firewall??

subjazz 02-24-2006 08:59 PM

You did not answer my first question , despite a good point made.
I can set up a firewall, the following from Ubuntu site:
"Since Ubuntu doesn't run any daemons that listen to the outside world by default (the postfix install only listens on localhost) there's no need for a default firewall.

The rationale is that if a user's got a need for installing a world-facing daemon, they'll be aware that they should configure a firewall/ACL for it too. "

My conclusion is that one must be conscious of the potential security risks and be able to administer desired
configurations as needed in regards to Ubuntu.

satinet 02-25-2006 04:52 AM

yes,i think you're right - dont worry

unSpawn 02-25-2006 10:39 AM

@Satinet: yes,i think you're right - dont worry
He's show you a complete Tiger report and you counter with "don't worry". Now please keep in mind I'm not here to put your head on the chopping block, but could you possibly be a wee bit more verbose, explain what we're seeing and why?
That could be helpful not only to him possibly but also to other ppl who find this thread in time.
TIA


@Subjazz My conclusion is that one must be conscious of the potential security risks and be able to administer desired
configurations as needed in regards to Ubuntu.

Ten points for drawing the right conclusion. I wish more people would think of potential security risks before installing any (public) network facing stuff.

satinet 02-25-2006 01:56 PM

ok, it wouldnt worry me because most hosts without a firewall will respond to icmp. i can ping my other pc for example. personally i dont use firewalls on them because i run the internet connections through a hardware router/firewall. This is a NAT firewall, meaning the machines can't be address directly. if you have a similar set up there is not real need to set up firewalls on each machine, as it just makes life more difficult (if you trust your firewall).

the other stuff is just normal warnings.

e.g.
--WARN-- [pass014w] Login (backup) is disabled, but has a valid shell.

ok this is a system user. but if it was comprimised or a password was setit could actually log in as it has a shell. e.g i'm using a bash shell. will this is a reasonable warning. it's hardly a security nightmare. and there may be atime when you actually want to log in as that user (or simlar).

Quote:

-FAIL-- [lin010f] The system is configured to answer to ICMP broadcasts
--WARN-- [lin012w] The system accepts ICMP redirection messages
--FAIL-- [lin013f] The system is not protected against Syn flooding attacks
--FAIL-- [lin016f] The system permits source routing from incoming packets
--WARN-- [lin017w] The system is not configured to log suspicious (martian)
packets
--FAIL-- [lin019f] The system does not have any local firewall rules
configured
all this sections is saying is that you don't have a firewall as disccussed above.

other than that its just warnings about file permissions etc, that i personally dont/wouldnt care about....


basically get a firewall - i would use a hardware one. and then nothing else is worth worrying about...


All times are GMT -5. The time now is 11:45 PM.