wiki:WishList
Last modified 6 years ago Last modified on 06/18/08 14:45:55

Existing tests

  • aliases (Michel Samia)
    • Checks bash aliases for:
      • existence of included file
      • existence of command
      • possibility of changing content of file implementing the command (world/other writable, owner not root)
      • possibility of changing content of included file (world/other writable, owner not root)
  • bootloader (Michel Samia)
    • Tests
      • permission and owner of /etc/grub.conf
      • password presence
  • cron (Michel Samia)
    • Checks crontab for
      • whether contains absolute paths
      • whether the command is secure (not world/group writable, root as owner)
  • disc_usage (Michel Samia)
    • Tells user, which of mounted volumes are going to be full. Uses df to get this info.
  • exec-shield (Peter Vrabec)
    • Checks if exec-shield and virtual address randomization are enabled.
  • filesystem (Dan Kopecek)
    • Common filesystem checks:
      • finds all files which have have unknown owner UID or GID
      • finds world writable files
      • finds world or group writable executables
      • finds SUID scripts
      • finds executable files, which are not in rpm database
      • finds symbolic links pointing to non-existing files or directories
  • firewall (Dan Kopecek)
    • Simple analysis of firewall policy rules.
  • group (Michel Samia)
    • Checks group for whether
      • line is not blank
      • line has correct number of fields
      • groupname is not empty
      • groupname contains only alpha-numeric characters
      • groupname is shorter than 32 chars
      • all group passwords are shadowed
      • GIDs are valid numbers
      • GIDs are in range 0..60000
      • there are groups with same GID
      • there are same groupnames
  • home_dirs (Michel Samia)
    • Tests
      • permission and owner of /home/*
      • finds lost home directories (after removed users)
      • warns about users which home directory doesn't exist
      • finds users sharing the same home directory
  • home_files (Michel Samia)
    • Tests ownership and access rights to sensitive files (.bashrc, ssh/id_dsa etc.) in home directories of all users
  • integrity (Dan Kopecek)
    • System integrity test. Checks presence and integrity of system commands and directories. For checking the integrity of binaries the command rpmverify (rpm -Vf) is used. A search for duplicates is also done for each command.
  • logfiles (Michel Samia)
    • Tests logfiles presence, owner, group and permissions of logfiles
  • mountopt (Jakub Hrozek)
    • Checks for potentially insecure mount options in /etc/fstab like not having nosuid on removable devices etc.
  • netserv (Dan Kopecek)
    • Audit of currently running network services.
  • nfs (Michel Samia)
    • Audit of nfs server. Finds RW exports
  • openssh (Dan Kopecek)
    • OpenSSH configuration audit.
  • openvpn (Dan Kopecek)
    • OpenVPN configuration audit.
  • passwd (Michel Samia)
    • Checks passwd for whether
      • /etc/passwd has permission 644 and its owner is root:root
      • /etc/shadow has permission 400 and its owner is root:root
      • line is not blank
      • line has correct number of fields
      • username is not empty
      • username contains only alpha-numeric characters
      • username is shorter than 32 chars
      • all users have password
      • all passwords are shadowed
      • UID and GID are valid numbers
      • UID and GID are in range 500..60000
      • user has UID 0, but his username is not root
      • user has UID 1, but his username is not bin
      • user has GID 0, but his username is not root
      • user has GID 1, but his username is not bin
      • user has negative UID
      • user has negative GID
      • there are users with same UID
      • there are same username
      • root has UID 0
      • user has valid shell (listed in /etc/shells)
  • path (Michel Samia)
    • Checks
      • if all directories listed in PATH exist Tests environmental variable PATH for
      • hazardous paths './', '/tmp'
      • group-writable or world-writable directories
      • writable executables
  • permissions (Michel Samia)
    • Tests important directories for presence, permissions and owner
  • removedlibs (Dan Kopecek)
    • Checks if libraries mapped into memory are the same as the libraries on the disk. To get rid of this warnings simply restart these processes (their names and PIDs are in messages printed out by this test). Use the command service(8) to restart processes that belong to a running system service.
  • routing (Michel Samia)
    • Checks the routing tables and warns if some changes are found.
  • selftest (Dan Kopecek)
    • secTool selftest. Checks permissions of test scripts, permanent data directories and basic sanity of .dsc files.
  • selinux (Peter Vrabec)
    • Checks if you have selinux enabled.
  • shadow (Michel Samia)
    • Checks shadow for whether
      • /etc/shadow has permission 400 and its owner is root:root
      • line is not blank
      • line has correct number of fields
      • username is not empty
      • username contains only alpha-numeric characters
      • username is shorter than 32 chars
      • all users have password
      • there are same usernames
  • suid (Jakub Hrozek)
    • Looks for suid binaries in the system and compares against last run. Up to level 3, it checks only binaries in $PATH, from level 3 onwards, also checks if a file belongs to a package and from level 4 onwards walks through entire / filesystem and scans for setuid files. Settings:
      • CHECK_PATH - if the test should check the $PATH variable, can be 1 or 0
      • PACKAGE_CMD - the command used to get the package a file belongs to
      • CHECK_DIR - a directory or a list of directories to check in addition
      • CHECK_FILE_PACKAGE - whether to check if a setuid file belongs to a package, can be 0 or 1, is 1 from level 3 up
  • tcp_wrappers (Michel Samia)
    • Checks whether all running applications, which are using libwrap, have some restrictions in /etc/hosts.deny and /etc.hosts allow
  • vsftpd (Maros Barabas)
    • Check vsftpd configuration for:
      • Server listening configuration
      • Port range
      • DoS vulnerability via ascii mangling
      • Excessive I/O via -R option in ls command
      • ...and other staff -- Check system for:
      • Good permissions on configuration files and directories
      • If all configuration files exists
      • If selinux isn't denying vsftpd in work
  • xinetd (Dan Kopecek)
    • xinetd configuration audit.

Planned tests