- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: How to Verify Unauthorized SUID/SGID in unix s...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 08:34 AM
тАО07-17-2009 08:34 AM
How to Verify Unauthorized SUID/SGID in unix server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 08:51 AM
тАО07-17-2009 08:51 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
find / -perm -2 -exec ls -ld {} \; >> /var/adm/baseline 2>/dev/null
and run this command periodically and compare the output each time to the original using diff command to see if there are any new files added to this list, which can be interpreted as "unauthorized" The value -2 following switch -perm is for world writable files. If you need other permissions to be looked for, see the man page for find command.
HTH
UNIX because I majored in cryptology...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 09:57 AM
тАО07-17-2009 09:57 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
he appears to be working his way thru somekind of pre-audit checklist, based on like most of his other questions....
in this case, try:
find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} \; > list.out
that should list everything that has setuid or setgid bits set. then you'll have to examine the list.out file to see if anything jumps out.
auditors in particular don't like suid/sgid on scripts, even is the OS involved "ignores" them for script execution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 09:58 AM
тАО07-17-2009 09:58 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 10:46 AM
тАО07-17-2009 10:46 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
Unfortunately, the question cannot be answered. It is like asking: "Verify that there are no errors in my program." You can't prove the absence of a problem, only the existence of a problem.
The beginning of such a task is to find every executable file with the suid/sgid bits set. Then compare this list with a list of all the files in HP-UX using the swlist -l files command. Then whatever is leftover will require research as to what the program does, why it is on your system and is the program safe.
Shouldn't take more than a week or two...
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 02:31 PM
тАО07-17-2009 02:31 PM
Re: How to Verify Unauthorized SUID/SGID in unix server?
Why? You want -d so you don't list the contents of directories:
find / \( -perm -2000 -o -perm -4000 \) -exec ls -ld {} + > list.out
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-17-2009 05:20 PM
тАО07-17-2009 05:20 PM
Re: How to Verify Unauthorized SUID/SGID in unix server?
As part of my audit of HP-UX servers
I have a flag "-c" to check all
SUID, SGID and unowned files:
http://www.circlingcycle.com.au/Unix-sources/HP-UX-check-OAT.pl.txt
It uses Perl to find them...
Quite frankly, all SUID/SGID programs and
files can be seen as "unauthorised". It all
depends on the security policy at your
company.
Cheers,
VK2COT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2009 05:16 AM
тАО07-18-2009 05:16 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
files can be seen as "unauthorised". It all
depends on the security policy at your
company.
Not true. The SUID/SGID programs that come with HP-UX are mandatory. Turn off the SUID/SGID bits or remove these programs and you will have an extremely secure system -- no one including root can login and the system may not even boot up successfully. Thta may make the auditors quite happy but the computer is useless.
The concern from an auditor's perspective refers to programs and files that come from untrusted sources or that have been added by an intruder. You may need to add an intrusion detection or other security application to meet auditing requirements.
Bill Hassell, sysadmin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2009 05:31 AM
тАО07-18-2009 05:31 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
Why? ..."
it was an ID-10.T error, the original version I had was going after "-type f", somewhere along the line....somewhere along the line the ID-10.T (me) ommitted it from the posting...I still plead ENOCOFFEE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-18-2009 05:38 AM
тАО07-18-2009 05:38 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
Right. And they will accept them if you can justify their presence. What they really frown on is finding one on the list that you've no explaination for.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-19-2009 03:56 AM
тАО07-19-2009 03:56 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
Although vendors set various programs
SUID/SGID, it does not necessarily mean one
needs to use them.
Here are examples from an HP-UX 11.31 server
that runs HP software only:
SGID file: /etc/lanscan
SUID file: /etc/arp
SUID file: /etc/ping
SUID file: /etc/shutdown
SGID file: /etc/wall
SUID file: /etc/mediainit
SGID file: /etc/sysdef
SUID file: /etc/opt/hpsmc/shc/shc.public.key
SGID file: /etc/vx/isis/Registry.pre-ddlpro
SUID file: /opt/hpsmc/shc/bin/shc
SUID file: /opt/hpsmc/shc/bin/shcctl
SUID file: /opt/hpws/apache/bin/suexec.hide
SUID file: /opt/mx/bin/mxagentconfig
SUID file: /opt/VRTSob/bin/vxguidgen
SUID file: /opt/caliper/lbin/csdaemon
SUID file: /opt/hp/RemoteSupport/pac/bin/pac-cli
SUID file: /usr/sbin/arp
SUID file: /usr/sbin/ping
SUID file: /usr/sbin/rlp
SGID file: /usr/sbin/wall
SUID file: /usr/sbin/shutdown
SUID file: /usr/sbin/sd
SUID file: /usr/sbin/lpsched
SUID file: /usr/sbin/lpshut
SUID file: /usr/sbin/rcancel
SUID file: /usr/sbin/reject
SUID file: /usr/lbin/uucp/uucico
SUID file: /usr/lbin/uucp/uuclean
SUID file: /usr/lbin/uucp/uusched
SUID file: /usr/lbin/uucp/uusub
SUID file: /usr/lbin/uucp/uuxqt
SUID file: /usr/lib/lpadmin
SUID file: /usr/lib/lpfence
SUID file: /usr/lib/lpmove
SUID file: /usr/lib/lpsched
SUID file: /usr/lib/lpshut
SUID file: /usr/lib/rcancel
SUID file: /usr/lib/reject
SUID file: /usr/lib/rlp
SUID file: /usr/contrib/bin/VgCollect
SUID file: /usr/lib/rlpdaemon
SUID file: /usr/bin/chfn
SUID file: /usr/bin/chsh
SUID file: /usr/bin/yppasswd
and many more.
If you do not use, for example, Unix printing, or YP/NIS, why would you need
to have these programs SUID/SGID.
In the end, one's business is their priority
and they have every right to question
every vendor. It is not a matter of
mistrust but a matter of taking care of
own "home".
So, mandatory or not, SUID/SGID files
should be checked. Besides, if one
uses a modern version of HP-UX, RBAC
and privilege separation can take care of it
in a nice way (there are other methods too).
Cheers,
VK2COT
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-19-2009 06:05 AM
тАО07-19-2009 06:05 AM
Re: How to Verify Unauthorized SUID/SGID in unix server?
http://docs.hp.com/en/5900-0405/index.html
http://h20341.www2.hp.com/hpux11i/cache/324414-0-0-0-121.html
Don't forget Bastille also, it is a nice tool to help you to secure your system.