SekChek for UNIX: Scan Instructions

SekChek

Scan Instructions


Prerequisites

You should already have created a copy of the Scan software (SEKUNEXT).

Outline of this Step

UNIX Host Scan File(s)

**IMPORTANT**

  1. To ensure correct results use the root account for the following operations
  2. SekChek for UNIX will run on any system that supports the Bourne shell
  3. Other than the security scan data written to sub-directory sekchek/ (see below), the Scan process does NOT ADD TO, CHANGE, OR DELETE FROM the client's system in any way!

Running the Scan Software


1. Copy the Scan Software to a Directory on the UNIX Machine

Copy file SEKUNEXT from diskette to a directory on the UNIX machine


Important! Specify binary (i.e. not ASCII) in your copy utility or ftp software to ensure that CR/LF characters are properly converted.

See below for examples of basic ftp commands.

2. Ensure the ROOT account has Authority to Execute the Scan Software

From the shell prompt enter: chmod 700 /tmp/SEKUNEXT (where tmp is the full name of the directory containing SEKUNEXT)

3. Change your Working Directory to the Desired Output Directory

From the shell prompt enter: cd /tmp (where tmp is the full name of the directory to contain SekChek's output files)

SekChek will automatically create a sub-directory (in Step 4 below) called 'sekchek' in your (current) working directory and write it's Scan files to it. E.g. if your current working directory is '/tmp', your scan files will be written to directory '/tmp/sekchek/'.

You should ensure the partition has 20Mb of free space for SekChek's output files.

4. Execute the Scan Software

From the shell prompt enter: sh (to ensure you are in the Bourne shell)

Then enter: /tmp/SEKUNEXT (where tmp is the full name of the directory containing SEKUNEXT)

The software will ask if you want to scan details of:

  • Programs that Switch User Id (SUID)
  • Permissions on programs in the system search path
  • Files with world writeable permissions
  • Encrypted password information
  • Permissions on files stored on NFS mounted volumes

If you are not interested in this information we recommend you reply 'N'. This is because on systems with large file systems it can take several hours to scan this data.

See below for an explanation of these run-time options, including their impact on your SekChek report.

SekChek will scan security data on the UNIX host and write it to sub-directory 'sekchek' in your (current) working directory. It will either create one file (sekunf.z) only, or 20-30 text (.txt) files, depending on the availability of certain software on the machine.

5. Copy the Scan File(s) to Diskette & Clean-Up

After the Scan Software has completed, you will need to:

  • Copy the file(s) in directory /pathname/sekchek/ to diskette. Ensure you specify 'binary' (i.e. not ASCII or TXT) format in the copy/ftp operation.
  • Delete all files in directory /pathname/sekchek/ (e.g. rm /tmp/sekchek/*). Make certain you enter this command correctly, otherwise you risk deleting many other files also!
  • Remove sub-directory /sekchek (e.g. rmdir /tmp/sekchek)


Basic ftp Commands.

ftp 193.241.02.85 (establish an ftp connection with machine 193.241.02.85)

cd /tmp (change the default directory on the remote machine to e.g. /tmp)

binary (change FTP's transfer mode to binary)

get remote_filename [local_filename] (copy remote_filename from the default directory on the remote machine to the default directory on the local machine)

put local_filename [remote_filename] (copy local_filename from the default directory on the local machine to the default directory on the remote machine)

bye (or quit) (exit ftp)

Values inside square brackets [ ] are optional.

Sample command to create a sub-directory on the UNIX machine (optional).
From the shell prompt on the UNIX machine, enter:
mkdir /tmp/mydir
(This command will create a sub-directory called 'mydir' in directory '/tmp')

More information: A sample ftp session



Run-time Options.

Programs that Switch User Id (SUID)

  • These programs assume the identity of the user owning the executable [often root], rather than the user executing the program. It is important to maintain strong permissions on these programs because unauthorised changes [or program substitutions] could allow intruders to gain access to the root account and to all resources on your system.
  • If you choose not to scan these permissions, your SekChek report will not contain information on programs that SUID.

Permissions on programs in the system search path

  • This step will scan permissions on all files residing in all directories in the system search path. This path is searched each time a program or command is executed to determine the location of the program. Inappropriate permissions on these programs could lead to unauthorised changes [or program substitutions], which could have serious security implications.
  • If you choose not to scan these permissions, your SekChek report will not contain information on programs in the System Path.

Files with world writeable permissions

  • This step will scan a list of all files with world-writeable permissions on them. World-writeable permissions on a program or file allow ALL users with access to your system to change or delete the file. Sensitive files or programs should not be world-writeable and should be assigned to an appropriate owner.
  • If you choose not to scan this list, your SekChek report will not contain information on files with world-writeable permissions.

Encrypted password information

  • This step will scan encrypted password information in password and shadow password files. This will allow SekChek to analyse password triviality and determine which accounts are disabled.
  • If you choose not to scan encrypted password information, the encrypted passwords will be replaced with “USER_WITHHELD” in SekChek’s Scan file.
  • Note that encrypted password information on Trusted Computer Based systems that store data in non-text format will not be replaced with “USER_WITHHELD” and will therefore be written to the Scan file.
  • If you choose not to scan encrypted password information, your SekChek report will not contain analyses of trivial passwords or disabled user accounts.

Permissions on files stored on NFS mounted volumes

  • This step will include NFS mounts in the Scan of file and directory permissions. NFS (Network File System) mounts are links to directories residing on remote servers.
  • If you choose not to scan permissions on files in NFS Mounts, your SekChek report will only analyse permissions on files and directories residing on local disks.

Write Host details to a header in the Scan File

This option will write the Host name and Username to a clear text header in the Scan file. This can be useful for identification purposes.


If you encounter difficulties with the process, call us with details of the problem and we will guide you through the process.


Next Step…

Encrypt the Scan File (on your PC)