Re: How to Verify Unauthorized SUID/SGID in unix server?

DharmaRao G · ‎07-17-2009

How to Verify Unauthorized SUID/SGID System Executables Do Not Exist on HP UNIX.

Mel Burslan · ‎07-17-2009

I have not heard any such concept of "Unauthorized SUID/SGID System Executables" on hpux. The best way to do this is to take a baseline right after the fresh install as follows:

find / -perm -2 -exec ls -ld {} \; >> /var/adm/baseline 2>/dev/null

and run this command periodically and compare the output each time to the original using diff command to see if there are any new files added to this list, which can be interpreted as "unauthorized" The value -2 following switch -perm is for world writable files. If you need other permissions to be looked for, see the man page for find command.

HTH

________________________________
UNIX because I majored in cryptology...

OldSchool · ‎07-17-2009

Mel: "I have not heard any such concept of "Unauthorized SUID/SGID System Executables"

he appears to be working his way thru somekind of pre-audit checklist, based on like most of his other questions....

in this case, try:

find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; > list.out

that should list everything that has setuid or setgid bits set. then you'll have to examine the list.out file to see if anything jumps out.

auditors in particular don't like suid/sgid on scripts, even is the OS involved "ignores" them for script execution

OldSchool · ‎07-17-2009

make that "ls -l" in the exec...I obviously need more coffee

Bill Hassell · ‎07-17-2009

Setuid programs are part of the OS, but a hacker might have been able to create one in an unsecured location sych as /tmp or /var/tmp. That's why you should always use the nosuid option for mounting any lvol where ordinary users can write. /usr and /opt must allow suid, but never /home, /tmp or /var.

Unfortunately, the question cannot be answered. It is like asking: "Verify that there are no errors in my program." You can't prove the absence of a problem, only the existence of a problem.

The beginning of such a task is to find every executable file with the suid/sgid bits set. Then compare this list with a list of all the files in HP-UX using the swlist -l files command. Then whatever is leftover will require research as to what the program does, why it is on your system and is the program safe.

Shouldn't take more than a week or two...

Bill Hassell, sysadmin

Dennis Handly · ‎07-17-2009

>OldSchool: make that "ls -l" in the exec..

Why? You want -d so you don't list the contents of directories:
find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} + > list.out

VK2COT · ‎07-17-2009

Hello,

As part of my audit of HP-UX servers
I have a flag "-c" to check all
SUID, SGID and unowned files:

http://www.circlingcycle.com.au/Unix-sources/HP-UX-check-OAT.pl.txt

It uses Perl to find them...

Quite frankly, all SUID/SGID programs and
files can be seen as "unauthorised". It all
depends on the security policy at your
company.

Cheers,

VK2COT

VK2COT - Dusan Baljevic

Bill Hassell · ‎07-18-2009

> Quite frankly, all SUID/SGID programs and
files can be seen as "unauthorised". It all
depends on the security policy at your
company.

Not true. The SUID/SGID programs that come with HP-UX are mandatory. Turn off the SUID/SGID bits or remove these programs and you will have an extremely secure system -- no one including root can login and the system may not even boot up successfully. Thta may make the auditors quite happy but the computer is useless.

The concern from an auditor's perspective refers to programs and files that come from untrusted sources or that have been added by an intruder. You may need to add an intrusion detection or other security application to meet auditing requirements.

Bill Hassell, sysadmin

OldSchool · ‎07-18-2009

Dennis: ">OldSchool: make that "ls -l" in the exec..

Why? ..."

it was an ID-10.T error, the original version I had was going after "-type f", somewhere along the line....somewhere along the line the ID-10.T (me) ommitted it from the posting...I still plead ENOCOFFEE

OldSchool · ‎07-18-2009

Bill H: "The concern from an auditor's perspective refers to programs and files that come from..."

Right. And they will accept them if you can justify their presence. What they really frown on is finding one on the list that you've no explaination for.

VK2COT · ‎07-19-2009

Hello,

Although vendors set various programs
SUID/SGID, it does not necessarily mean one
needs to use them.

Here are examples from an HP-UX 11.31 server
that runs HP software only:

SGID file: /etc/lanscan
SUID file: /etc/arp
SUID file: /etc/ping
SUID file: /etc/shutdown
SGID file: /etc/wall
SUID file: /etc/mediainit
SGID file: /etc/sysdef
SUID file: /etc/opt/hpsmc/shc/shc.public.key
SGID file: /etc/vx/isis/Registry.pre-ddlpro
SUID file: /opt/hpsmc/shc/bin/shc
SUID file: /opt/hpsmc/shc/bin/shcctl
SUID file: /opt/hpws/apache/bin/suexec.hide
SUID file: /opt/mx/bin/mxagentconfig
SUID file: /opt/VRTSob/bin/vxguidgen
SUID file: /opt/caliper/lbin/csdaemon
SUID file: /opt/hp/RemoteSupport/pac/bin/pac-cli
SUID file: /usr/sbin/arp
SUID file: /usr/sbin/ping
SUID file: /usr/sbin/rlp
SGID file: /usr/sbin/wall
SUID file: /usr/sbin/shutdown
SUID file: /usr/sbin/sd
SUID file: /usr/sbin/lpsched
SUID file: /usr/sbin/lpshut
SUID file: /usr/sbin/rcancel
SUID file: /usr/sbin/reject
SUID file: /usr/lbin/uucp/uucico
SUID file: /usr/lbin/uucp/uuclean
SUID file: /usr/lbin/uucp/uusched
SUID file: /usr/lbin/uucp/uusub
SUID file: /usr/lbin/uucp/uuxqt
SUID file: /usr/lib/lpadmin
SUID file: /usr/lib/lpfence
SUID file: /usr/lib/lpmove
SUID file: /usr/lib/lpsched
SUID file: /usr/lib/lpshut
SUID file: /usr/lib/rcancel
SUID file: /usr/lib/reject
SUID file: /usr/lib/rlp
SUID file: /usr/contrib/bin/VgCollect
SUID file: /usr/lib/rlpdaemon
SUID file: /usr/bin/chfn
SUID file: /usr/bin/chsh
SUID file: /usr/bin/yppasswd
and many more.

If you do not use, for example, Unix printing, or YP/NIS, why would you need
to have these programs SUID/SGID.

In the end, one's business is their priority
and they have every right to question
every vendor. It is not a matter of
mistrust but a matter of taking care of
own "home".

So, mandatory or not, SUID/SGID files
should be checked. Besides, if one
uses a modern version of HP-UX, RBAC
and privilege separation can take care of it
in a nice way (there are other methods too).

Cheers,

VK2COT

VK2COT - Dusan Baljevic

Alex Smirnoff · ‎07-19-2009

Well, a simple audit script will do, but actually to truly maintain security you need to audit more. It is generally a good practice to have cryptographically secure hashes of your executable binaries and important configuration files to be saved elsewhere (not on the host itself). Tripwire (which is available as a part of HP Internet Express package, it is free) is a good example; AIDE (Advanced Intrustion Detection Environment iirc) may be better, but although HP-UX is said to be supported, you have to compile it from source. And there is a tool to check for advanced rootkits (yes, rootkits existed in Unix systems long before this word became known to Windows users) that may try to hide nasty things in our system, it is called Chkrootkit and it is in the same Internet Express package also.

http://docs.hp.com/en/5900-0405/index.html
http://h20341.www2.hp.com/hpux11i/cache/324414-0-0-0-121.html

Don't forget Bastille also, it is a nice tool to help you to secure your system.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: How to Verify Unauthorized SUID/SGID in unix server?

How to Verify Unauthorized SUID/SGID in unix server?