choon
07-20-2004, 03:22 PM
What is System Security Scanner?
A system security scanner is an application to be performed in the system. It scans for insecurities or "holes" or "problems" in your system and inform you via varies means depending on its features. Such "problems" might be file permissions, outdated packages/softwares/applications, insecure configurations etc... again depending on the scanner features.
Please note that this is proactive security measures and assume that your system is not compromised as if your system is already compromised then the results might not be effective. All system security scanners are better installed or run before connected to the internet to ensure that your system is not compromised.
There are a number of system security scanners available. Some are free and some are not. For this time, I will talk about one of those free system security scanner - sXid.
sXid is more on Files and File system Security in linux specially for SUID and SGID written by Ben Collins of the Debian project. You can get a copy at:
http://freshmeat.net/projects/sxid/
http://www.phunnypharm.org/pub/sxid/
ftp://marcus.seva.net/pub/sxid/
sXid is an all-in-one suid/sgid monitoring program designed to be run in cron. Basically it tracks changes in your s[ug]id files and folders hence of the program name sXid. If one of your users (or maybe you) have installed a new package or changed bits or other modes then it reports the changes in an easy understandable format. The reports can be send by e-mail or to the command-line.
Installation via apt-get
If you are using debian, issue the following command to install sXid:
apt-get install sXid
Installation via rpm
If you are using Red Hat Linux or Fedora Core 1 or 2, you can install sxid via rpm. Download the srpm from my site:
wget http://choon.net/SRPMS/sxid-4.0.4-1.src.rpm -P /tmp
rpmbuild --rebuild /tmp/sxid-4.0.4-1.src.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/sxid-4.0.4-1.i386.rpm
rm -f /tmp/sxid-4.0.4-1.src.rpm
Installation via source
If you want to install from source, here are the steps:
Step 1: Download the latest tarball from http://freshmeat.net/projects/sxid/ which the latest version is 4.0.4.
wget http://www.phunnypharm.org/pub/sxid/sxid_4.0.4.tar.gz -P /tmp
Step 2: Unpack the source which directory I choose to unpack is /usr/local/src.
mkdir -p /usr/local/src
tar zxvf /tmp/sxid_4.0.4.tar.gz -C /usr/local/src
Step 3: Chown all files and directories to be owned by root
chown -R root:root /usr/local/src/sxid-4.0.4
Step 4: Change current working directory to the newly unpacked source directory
cd /usr/local/src/sxid-4.0.4
Step 5: Configure and Compile
make clean
./configure --sysconfdir=/etc
Since I want sXid to look for its configuration file in /etc directory. You can learn more from running ./configure --help and adjust the configure to suit your needs.
If no major errors occur when you run configure, then you are ready to install sXid.
Step 6: Install sXid
make
make install
If you follow the configure I have shown in Step 5, then sXid is located at:
/usr/local/bin/sxid
Configuration
sXid uses one configuration file name sxid.conf.
When you run the configure script without any options, it will be located in /usr/local/etc/ otherwise it is in the directory you specified which for my example is in /etc. After you have installed sXid, use man sxid.conf to learn about how to configure your sXid in sxid.conf to suit your needs. The following are one of my sample:
# Configuration file for sXid
# Note that all directories must be absolute with no trailing /'s
# Where to begin our file search
SEARCH = "/"
# Which subdirectories to exclude from searching
EXCLUDE = "/proc /mnt /cdrom /floppy"
# Who to send reports to
EMAIL = "root"
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = "no"
# Where to keep interim logs. This will rotate 'x' number of
# times based on KEEP_LOGS below
LOG_FILE = "/var/log/sxid.log"
# How many logs to keep
KEEP_LOGS = "5"
# Rotate the logs even when there are no changes?
ALWAYS_ROTATE = "no"
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = "/home /tmp"
# Remove (-s) files found in forbidden directories?
ENFORCE = "no"
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = "no"
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to "/"). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = "/home"
# File that contains a list of (each on it's own line)
# other files that sxid should monitor. This is useful
# for files that aren't +s, but relate to system
# integrity (tcpd, inetd, apache...).
# EXTRA_LIST = "/etc/sxid.list"
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it's location and don't want to recompile sxid.
# MAIL_PROG = "/usr/bin/mail"
Cron-Job
If you install from rpm, there is a file install in your /etc/cron.daily which full file name is /etc/cron.daily/sxid and the following are the content:
#!/bin/sh
SXID_OPTS=
if [ -x /usr/bin/sxid ]; then
/usr/bin/sxid ${SXID_OPTS}
fi
If you install from source, you can setup a cron job to do the job daily or anytime as you like. An example in root crontab as below which is scheduled to run on every 6:10AM daily:
10 6 * * * /usr/local/bin/sxid >/dev/null 2>&1
That's it ;)
A system security scanner is an application to be performed in the system. It scans for insecurities or "holes" or "problems" in your system and inform you via varies means depending on its features. Such "problems" might be file permissions, outdated packages/softwares/applications, insecure configurations etc... again depending on the scanner features.
Please note that this is proactive security measures and assume that your system is not compromised as if your system is already compromised then the results might not be effective. All system security scanners are better installed or run before connected to the internet to ensure that your system is not compromised.
There are a number of system security scanners available. Some are free and some are not. For this time, I will talk about one of those free system security scanner - sXid.
sXid is more on Files and File system Security in linux specially for SUID and SGID written by Ben Collins of the Debian project. You can get a copy at:
http://freshmeat.net/projects/sxid/
http://www.phunnypharm.org/pub/sxid/
ftp://marcus.seva.net/pub/sxid/
sXid is an all-in-one suid/sgid monitoring program designed to be run in cron. Basically it tracks changes in your s[ug]id files and folders hence of the program name sXid. If one of your users (or maybe you) have installed a new package or changed bits or other modes then it reports the changes in an easy understandable format. The reports can be send by e-mail or to the command-line.
Installation via apt-get
If you are using debian, issue the following command to install sXid:
apt-get install sXid
Installation via rpm
If you are using Red Hat Linux or Fedora Core 1 or 2, you can install sxid via rpm. Download the srpm from my site:
wget http://choon.net/SRPMS/sxid-4.0.4-1.src.rpm -P /tmp
rpmbuild --rebuild /tmp/sxid-4.0.4-1.src.rpm
rpm -ivh /usr/src/redhat/RPMS/i386/sxid-4.0.4-1.i386.rpm
rm -f /tmp/sxid-4.0.4-1.src.rpm
Installation via source
If you want to install from source, here are the steps:
Step 1: Download the latest tarball from http://freshmeat.net/projects/sxid/ which the latest version is 4.0.4.
wget http://www.phunnypharm.org/pub/sxid/sxid_4.0.4.tar.gz -P /tmp
Step 2: Unpack the source which directory I choose to unpack is /usr/local/src.
mkdir -p /usr/local/src
tar zxvf /tmp/sxid_4.0.4.tar.gz -C /usr/local/src
Step 3: Chown all files and directories to be owned by root
chown -R root:root /usr/local/src/sxid-4.0.4
Step 4: Change current working directory to the newly unpacked source directory
cd /usr/local/src/sxid-4.0.4
Step 5: Configure and Compile
make clean
./configure --sysconfdir=/etc
Since I want sXid to look for its configuration file in /etc directory. You can learn more from running ./configure --help and adjust the configure to suit your needs.
If no major errors occur when you run configure, then you are ready to install sXid.
Step 6: Install sXid
make
make install
If you follow the configure I have shown in Step 5, then sXid is located at:
/usr/local/bin/sxid
Configuration
sXid uses one configuration file name sxid.conf.
When you run the configure script without any options, it will be located in /usr/local/etc/ otherwise it is in the directory you specified which for my example is in /etc. After you have installed sXid, use man sxid.conf to learn about how to configure your sXid in sxid.conf to suit your needs. The following are one of my sample:
# Configuration file for sXid
# Note that all directories must be absolute with no trailing /'s
# Where to begin our file search
SEARCH = "/"
# Which subdirectories to exclude from searching
EXCLUDE = "/proc /mnt /cdrom /floppy"
# Who to send reports to
EMAIL = "root"
# Always send reports, even when there are no changes?
ALWAYS_NOTIFY = "no"
# Where to keep interim logs. This will rotate 'x' number of
# times based on KEEP_LOGS below
LOG_FILE = "/var/log/sxid.log"
# How many logs to keep
KEEP_LOGS = "5"
# Rotate the logs even when there are no changes?
ALWAYS_ROTATE = "no"
# Directories where +s is forbidden (these are searched
# even if not explicitly in SEARCH), EXCLUDE rules apply
FORBIDDEN = "/home /tmp"
# Remove (-s) files found in forbidden directories?
ENFORCE = "no"
# This implies ALWAYS_NOTIFY. It will send a full list of
# entries along with the changes
LISTALL = "no"
# Ignore entries for directories in these paths
# (this means that only files will be recorded, you
# can effectively ignore all directory entries by
# setting this to "/"). The default is /home since
# some systems have /home g+s.
IGNORE_DIRS = "/home"
# File that contains a list of (each on it's own line)
# other files that sxid should monitor. This is useful
# for files that aren't +s, but relate to system
# integrity (tcpd, inetd, apache...).
# EXTRA_LIST = "/etc/sxid.list"
# Mail program. This changes the default compiled in
# mailer for reports. You only need this if you have changed
# it's location and don't want to recompile sxid.
# MAIL_PROG = "/usr/bin/mail"
Cron-Job
If you install from rpm, there is a file install in your /etc/cron.daily which full file name is /etc/cron.daily/sxid and the following are the content:
#!/bin/sh
SXID_OPTS=
if [ -x /usr/bin/sxid ]; then
/usr/bin/sxid ${SXID_OPTS}
fi
If you install from source, you can setup a cron job to do the job daily or anytime as you like. An example in root crontab as below which is scheduled to run on every 6:10AM daily:
10 6 * * * /usr/local/bin/sxid >/dev/null 2>&1
That's it ;)