---

---

Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 60 · To locate all group & world-writable directories on your system, use the command: [root@deep /]# find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; NOTE: A file and directory integrity checker like Tripwire software can be used regularly to scan, manage and find modified group or world writable files and directories easily. See in this book under the chapter 10 “Securities Software (Monitoring Tools)” for more information about Tripwire. 36. Unowned files Don’t permit any unowned file. Unowned files may also be an indication an intruder has accessed your system. If you find unowned file or directory on your system, verify it integrity and if all look fine give it an owner name. Some time you may uninstall a program and get unowned file or directory related to this software, in this case you can remove the file or directory safety. · To locate files on your system that do not have an owner, use the following command: [root@deep /]# find / -nouser -o -nogroup NOTE: Once again, files reported under “/dev” directory don’t count. 37. Finding “.rhosts” files Finding all the “.rhosts” files that could exist in your server should be a part of your regular system administration duties, as these files should not be permitted on your system. Remember that a cracker only needs one insecure account to potentially gain access to your entire network. · You can locate all “.rhosts” files on your system with the following command: [root@deep /]# find /home -name .rhosts You can also use a cron job to periodically check for, report the contents of and delete $HOME/.rhosts files. Also, users should be made aware that you regularly perform this type of audit, as directed by policy. · To use a cron to periodically check and report via mail all “.rhosts” files, do the following: Create as “root” the find_rhosts_files script file under “/etc/cron.daily” directory (touch /etc/cron.daily/find_rhosts_files) and add the following lines in this script file: #!/bin/sh /usr/bin/find /home -name .rhosts | (cat <<EOF This is an automated report of possible existent “.rhosts” files on the server deep.openarch.com, generated by the find utility command. New detected “.rhosts” files under the “/home” directory include: EOF cat ) | /bin/mail -s "Content of .rhosts file audit report" root Now make this script file executable then change, verify the owner, and group to by “root” [root@deep /]# chmod 755 /etc/cron.daily/find_rhosts_files [root@deep /]# chown 0.0 /etc/cron.daily/find_rhosts_files Each day a mail will be send to “root” with a subject:” Content of .rhosts file audit report” containing potential new finding “.rhosts” files.