/ * $ ID $
*
* Title: LSAT (Linux Security Auditing Tool) Installation and Use of Local Security Scanner
* Time: 2004-10-10 08:33:21
*
* Author: z33
* Home: http://www.pig8.com/bbs
* Repost, please keep this paragraph, thank you!
* /
LSAT is a local security scanner, developed by TRIODE, mainly for RPM-based Linux release design.
First download a latest version of LSAT:
http://usat.sourceforge.net/code/
Compile:
Z33 $ tar xzvf Last-Version.tgz
Z33 $ CD LSAT-VERSION
Z33 $ ./configure
Z33 $ make
Run as root:
root # ./lsat
A report will be generated by default, named lsat.out.
You can also specify some options:
-o filename Specifies the file name of the generated report
-v detailed output mode
-s Not printing any information on the screen, only the report is generated.
-r Execute RPM checksum checks, find out files that identify default content and permissions
Below is the report card:
************************************************
Please consider removing these packages.
Bind-Utils-9.2.1-16
NFS-Utils-1.0.1-2.9
YPBIND-1.11-4
YPBIND-1.11-4
RedHat-Config-NFS-1.0.4-5
Sendmail-8.12.8-4
Portmap-4.0-54
BIND-9.2.1-16
RedHat-config-bind-1.9.0-13
Sendmail-CF-8.12.8-4
************************************************
Entries Below Shall Be Services in xinetd.d That
Are not disabled.
Please Verify That You Do Not Want these Disabled.
If Nothing is listed Below, All Services in xinetd.d is disabled.
/etc/xinetd.d/sgi_fam:no
************************************************
DID NOT FIND ONLY_FROM = in /etc/xinetd.conf.
Please add this to allow subnets That You Want to Give Access To.
************************************************
Lines Found in Hosts.Allow
Make Sure you wish to allow the Following:
************************************************
DID NOT FIND ALL: All in hosts.deny.
Lines found in hosts.deny:
************************************************
DEFAULT INIT level is not set to 5. good.
************************************************
_Looks_ like you are for the auth log facility
In syslog. good. *************************************************
_Looks_ like you are useing the authpriv log facility
in syslog.
************************************************
This Is A List of Suid Files on the system:
/ bin / ping
/ bin / mount
/ bin / umount
/ bin / su
/ sbin / pam_timestamp_check
/ SBIN / PWDB_CHKPWD
/ SBIN / UNIX_CHKPWD
************************************************
This Is A List of Sgid Files / Director Ion The System:
/Root/sendmail.bak
/Root/mta.bak
/ sbin / netreport
************************************************
List of normal files in / dev. Makedev is Ok, But There
SHOULD BE No Other Files:
/ dev / MakeDev
/ dev/makedev.afa
************************************************
This is a list of world write file
/etc/cron.daily/backup.sh
/etc/cron.daily/Update_cdv.sh
/ etc / megamonitor / monitor
/ root / e
ROOT / PL / OUTFILE
LSAT can check a lot, mainly:
Check that useless RPM installation check INETD and XINETD and some system profile Check SUID and SGID file Check 777 file check processes and service open ports More page: Home:
http://usat.sf.net
Conclude
The common method of LSAT is to use cron to regularly call, and then compare the difference between the current report and previous reports with DIFF, you can find changes in the system configuration.
