Loading ...

Intrusion detection in Linux con Tiger

Intrusion detection in Linux con Tiger

Tiger è un insieme di script per l'intrusion detection per i sistemi Linux.

Non è difficile da usare, in quanto fa quasi tutto da solo; almeno per quanto riguarda l'analisi.

Per installarlo su Ubuntu:

$ sudo aptitude install tiger

Verrà installata un pò di roba.

Alla fine potete lanciare il comando:

$ sudo tiger
Tiger UN*X security checking system
   Developed by Texas A&M University, 1994
   Updated by the Advanced Research Corporation, 1999-2002
   Further updated by Javier Fernandez-Sanguino, 2001-2018
   Contributions by Francisco Manuel Garcia Claramonte, 2009-2010
   Covered by the GNU General Public License (GPL)

Configuring...
 
Will try to check using config for 'x86_64' running Linux 4.18.0-15-generic...
--CONFIG-- [con005c] Using configuration files for Linux 4.18.0-15-generic. Using
           configuration files for generic Linux 4.
Tiger security scripts *** 3.2.4rc1, 2018.02.10.20.30 ***
12:46> Beginning security report for matte-xub.
12:46> Starting file systems scans in background...
12:46> Checking password files...
12:46> Checking group files...
12:46> Checking user accounts...
12:46> Checking .rhosts files...
12:46> Checking .netrc files...
12:46> Checking ttytab, securetty, and login configuration files...
12:46> Checking PATH settings...
12:46> Checking anonymous ftp setup...
12:46> Checking mail aliases...
12:46> Checking cron entries...
12:46> Checking 'services' configuration...
12:46> Checking NFS export entries...
12:46> Checking permissions and ownership of system files...
12:46> Checking for indications of break-in...
12:46> Performing rootkit checks...
12:46> Performing system specific checks...
12:52> Performing root directory checks...
12:52> Checking for secure backup devices...
12:52> Checking for the presence of log files...
12:52> Checking for the setting of user's umask...
12:52> Checking for listening processes...
12:52> Checking SSHD's configuration...
12:52> Checking the printers control file...
12:52> Checking ftpusers configuration...
12:52> Checking NTP configuration...
12:52> Waiting for filesystems scans to complete...
12:52> Filesystems scans completed...
12:52> Performing check of embedded pathnames...
12:52> Security report completed for matte-xub.
Security report is in `/var/log/tiger/security.report.matte-xub.190222-12:46'.

Viene creato un log, con indicazione su dove trovarlo.

Al suo interno dovete cercare righe come questa:

--WARN-- [pass016w] ...........

Possiamo vedere i dettagli sul warning con tigexp:

$ tigexp pass016w
The listed login ID should not have "/" (system root directory) as its
home drive. This is a possible security hole.

Enjoy!