CGI and Perl

Monitoring Filesystem Changes,Network Security, and Analyzing Password Security

There are three basic tools to enhance the security of your system by monitoring filesystem changes and checking for bad passwords. These tools have been in use for a long time and are freely available. We recommend that you use them all on a regular basis. Monitoring the Filesystem First, for monitoring the filesystem, there are two primary tools. The first is called TripWire. It's a suite of C programs and bourne shell scripts that analyze the critical files on your system and produce a database. Then, each time you run the tool after the database has been created, it compares the current state of the files to the stored parameters for size, ownership, permissions, timestamps, and checksums. If anything changes, you get a report of exactly where the change occurred, when it happened, and what changed for any given critical filesystem entity that you have set up to monitor. You can obtain TripWire's latest version at

ftp://coast.cs.purdue.edu/pub/COAST/TripWire

The other tool commonly used to monitor the filesystem is called COPS (Computer Oracle and Password System). COPS is a suite of Perl scripts that traverse the filesystem, looking for SUID programs or scripts, system directories and files that are world writable, and other potential holes. COPS also makes a database that stores the current status of all important files it finds, compares any given run against this database, and reports back about a large number of potential problems. COPS also provides rudimentary checking for bad passwords, user's home directories and login files, anon ftp setup, unrestricted tftp, and even timestamps of key files that have been included in past CERT advisories, along with the Kuang expert system, which takes a set of rules and tries to determine if your system can be compromised. COPS is available at

ftp://ftp.cert.org/pub/tools/cops

Monitoring System Password Security There are several steps that must be taken in order to implement a plan for preventing bad passwords. The first, and most important to implement, is to insure that the user cannot create a bad password. There are a number of potential algorithms that should be checked before allowing the user to change or create the password. One tool that is widely used to do this replaces the /bin/passwd program with a suid wrapper that invokes a Perl script called anlpasswd. There are also many others. The important thing to realize is that you must ensure that the user cannot select a "bad" password before implementing the other components of a password security plan.

The next step in password security is to run a program called Crack against the /etc/passwd (or its shadow) database. Crack is a CPU intensive program that runs, often for days at a time, attempting a large number of algorithms to guess the user's password(s). Once complete, the administrator informs the user that he/she needs to change his/her password if it was guessed--but not until step one is in place, or the purpose is defeated, because the user can simply choose another bad password. Crack can also be obtained from the CERT site:

ftp://ftp.cert.org/pub/tools/crack/

Finally, a password aging scheme is sometimes used. Many users find this irritating and frustrating, to memorize one difficult password, only to have to forget it and memorize a new one a few months later. Password aging is important, though, especially if your site has proprietary or other secure information within its hierarchy. Consult your administrative documentation for more details on how to implement password aging on your particular architecture. Monitoring Network Security General network security can be tested using the "Satan" suite of programs; written in Perl and rpc/C, it is a suite of programs to test most or all of the potential network holes. Satan is available at most security-related sites, including: ftp://coast.cspurdue.edu/pub/tools/unix/satan.