topic Re: Security Auditing Tools in Operating System - HP-UX

Security Auditing Tools

Greg Vaidman — Wed, 03 Jan 2001 17:07:07 GMT

Any recommendations for tools to perform a security audit of HP-UX 10.x and 11.x systems?

I'm interested in OS-level security issues, and I need to produce some reports.

I'll certainly use 'crack' and probably the ISS scanner from the porting archives, but I'm interested in something that'll give me stuff like a list of setuid files, files that are world writable, etc. Now my examples are pretty easy to script, but I'm looking for something that will give me a whole bunch of those types of things in one shot.

Thanks!

Re: Security Auditing Tools

Steven Sim Kok Leong — Thu, 04 Jan 2001 06:04:20 GMT

Hi,

Try using tiger. It is a good auditing tool.

Hope this helps. Regards.

Steven Sim
Brainbench MVP for Unix Admin
http://www.brainbench.com

Re: Security Auditing Tools

Dan Hetzel — Thu, 04 Jan 2001 07:36:59 GMT

Hi Greg,

If you only have Unix boxes, ESM/Axent is a good tool.
If your network is also including some Novell/NT servers, Bindview offers more functionalities for those, while also offering HP-UX support with the last version.

Best regards,

Dan

Re: Security Auditing Tools

John Peckitt — Thu, 04 Jan 2001 11:41:25 GMT

If you contact HP (Account Support Engineer), there is a proprietary tool called Medusa, which can be run to give a comprehensive security report, detailing a number of exposures, as well as offering solutions.

Re: Security Auditing Tools

Kofi ARTHIABAH — Thu, 04 Jan 2001 13:48:36 GMT

Greg:

The last issue of SANS Newsbites has an article:

" --2 January 2001 Vulnerability Scanners Fail To Find Common
Vulnerabilities
Network Computing magazine laboratory tests show that all of the popular
security vulnerability testing software packages failed a test in which
they were analyzing systems with seventeen known "NASTY"
vulnerabilities. A table is included showing the results by
vulnerability assessment product, operating system, vulnerability. The
bottom line: relying on a single vulnerability assessment tool is
dangerous.
http://img.cmpnet.com/nc/1201/graphics/f1-detect-results.pdf "

you might want to check it out.

Re: Security Auditing Tools

Greg Vaidman — Thu, 04 Jan 2001 15:47:11 GMT

Steven,
Tiger hasn't been updated since '94, at least in versions that I could find.

Dan,
I knew about ESM from Axent, but it's going to blow the budget in this particular scenario (2 days of consulting).

Kofi,
Interesting article. I certainly know the danger of relying solely on 1 tool, but because of time constraints, a few tools, rather than a lot of manual effort, will have to do.

John,
I'll have to follow up on Medusa. I haven't found any web links, but I'll see if I can get some more info from HP.

All,
Thanks!

Re: Security Auditing Tools

Account Not Used — Thu, 04 Jan 2001 18:45:31 GMT

There are various ways to get suid/guid information on files etc. There is a command in hp/ux "ncheck" I believe if you input the following command it will tell you what files have sticky bit set. EXAMPLE: ncheck -s. Also do a man page on the "find" command you can also find "suid" information on files using the correct find command string.

Re: Security Auditing Tools

Paula J Frazer-Campbell — Thu, 04 Jan 2001 20:40:23 GMT

Hi greg
the following will check the passwd file for root level users and the second attached file checks many system areas for security problems.

HTH

Paula

-----------------CUT HERE-------------------
#! /bin/sh
##############################################################
# PJFC 11/1999
#
# Script to check the /etc/passwd file for users with
# root level access (0 in field 3)
# two delivery options are given, a mail to and a cat to a file
#############################################################
cd /sysadmin
rm /sysadmin/rootalert
for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
print $1}' /etc/passwd`
do
# mail -s "Root access alert" paula@avro.co.uk << EOF
cat << EOF >> rootalert
*******************************************************
*
* ALERT! Login ID `echo ${id}` has ROOT UID
* `date "+detected On Date :%D Time :%r"`
*
*******************************************************
EOF
done
-----------------CUT HERE-------------------

Re: Security Auditing Tools

Vinit Adya — Fri, 12 Jan 2001 03:41:56 GMT

As i understand you are probably looking for a Policy Compliance Manager. A tool which can give you an overview of the security settings in the systems and file permissions etc.
We use a tool called March Security Manager, from March Information systems limited. This product not only evaluates the security, it also has a feature of freeezing the checksums so that a quick periodic review can be dome only on the files which have changed since last review. It can review multiple systems from a single console etc.

Re: Security Auditing Tools

Greg Vaidman — Fri, 12 Jan 2001 17:45:53 GMT

Thanks all. I was able to complete an audit of three systems in two days, using a combination of crack, iss, nmap, and a few of my own scripts.

compiling some of these tools brought me back some memories, i'll tell you that!

Re: Security Auditing Tools

Fernando Madureira_1 — Mon, 05 Mar 2001 13:30:37 GMT

Hi,

use the ESM - Enterprise Security Manager by Axent Technologies. This tool is the best to management and auditing your servers in check the file permissons, password contents, auditing logs, etc. Check teh site http://www.axent.com

Regards,
Fernando.