home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
SGI Enlighten DSM 3.1
/
SGI EnlightenDSM 3.1.iso
/
DEC3240
/
COMMON.Z
/
COMMON
/
config
/
remedies
< prev
next >
Wrap
Text File
|
1999-04-16
|
17KB
|
348 lines
1000
DUPLICATE UID
UNIX will give full access permissions between all accounts with the same
userid. While just a few main system accounts often have the same userid
(most often userid number zero), and a few system utility software
applications employ the same userid (such as "enlighten" and its daemon
"enlmd"), for security reasons in general no other accounts should share
userid's.
From the User Configuration Screen, sort the output by userid. For each set
of duplicate userid's that you wish to change, select the ones you wish to
alter, and hit Modify to obtain the detail window. Change the userid in the
detail window and hit Modify.
Alternatively, request Delete from the User Configuration Screen for
duplicate userid accounts which are out-of-date.
1010
DUPLICATE USERNAME
UNIX will only allow the first account found with a given username to log
into the system. When there are duplicate accounts, the prevailing account
is determined by its physical placement in the /etc/passwd file. To
determine which account has been taking precedence, first request the User
Configuration Screen, do NOT sort the list so that the physical order
remains, but use the "Search List" button to find the given user name. The
first one selected is the account taking precedence. You can then perform
Modify or Delete actions against the other accounts.
From the User Configuration Screen, sort the output by username. For each
set of duplicate user names that you wish to change, select the ones you
wish to alter, and hit Modify to obtain the detail window. Change the
username in the detail window and hit Modify.
Alternatively, request Delete from the User Configuration Screen for
duplicate userid accounts which are out-of-date.
1020
VULNERABLE DIRECTORIES
Home directories which are writable by users other than the owner are
subject to Trojan Horse programs that general users can create. They also
might have possibly sensitive information in files that are likely allowed
to be overwritten by non-owning users.
Keep up the Wizard Screen for reference while you access the File Search
Screen. Unless you know that all home directories are on specific
partitions, select all partitions for searching. Enter the file names
reported from the Wizard Screen into the "Find Filenames like:" field, with
a space between each one. Request "Execute Search".
For each of the files and directories found, select the given file, and
request "chmod" or "chown" as required, according the problem reported by
the Wizard check. The files reported having a potential problem should
generally have the (chmod) file permissions 750 and be owned by the user
logging in to that directory.
1030
EASY PASSWORDS
Accounts with highly obvious passwords mean that the possibility of a
security breach is relatively high. Novices often choose passwords which are
mirrors of their available account information, and "crackers" will try
these types of passwords to gain easy and apparently proper access to your
system. Such access is difficult to trace since it's done through normal
channels.
Keep up the Wizard Screen for reference while you access the User
Configuration Screen. Sort the list by username for easy searches. Select
the users referenced in the Wizard Screen.
To change their passwords immediately, hit the "Password" button. You can
then give each user an unique password and hit "Apply", calling the users
directly to inform them.
Alternatively, you could request "Lock" against these users, which would
suspend login access to their accounts. When the users call in to get help
in logging in, you can then assign a reasonable password.
Alternatively, you could just request the "Mail" button to select a form
letter to inform the selected users of their vulnerable state, and to change
their password immediately. You should re-check the state of their passwords
soon afterward.
1100
FULL DISKS
The Full Disk test is a check for those file systems which have at least 95%
of usable space allocated. For smaller and more volatile partitions, the
probability of overriding the maximum space allocation is high, and can
cause severe system problems.
From the Session Preferences item in the Config menu, request a "Long
listing" for the "File list format".
Using the File Search item from the Disk menu, select the partitions which
the Wizard Screen reported as full. It might be wise at this point to also
request "Rebuild" of the disk snapshots, to assure that the information is
up-to-date. Click on "Search Parameters" to obtain the query entry screen.
Enter a criteria to search for large files in the first field of the "File
Size between" category (begin with a size of at least 1MB, and reduce the
criteria as necessary for subsequent searches). Click on "Execute Search".
Sort the resulting File Systems Detail list by descending file size. At the
top of the list are those files which would produce the greatest effect if
compressed or removed. To further focus on available candidates, select the
files and request "Stats". Those files which have not been modified or
accessed in a long time are most likely not to be missed if removed.
Directly from the File Systems Detail Screen, either apply file compression
(using the "Custom" button) or Delete (possibly requesting "Backup"
beforehand) to the files you choose. You might wish to note the owning
users and send mail regarding your actions.
1110
SETUID PROGRAMS
Programs which are known in UNIX as "set-uid" are those programs and scripts
which run AS IF the user who invoked the program was the same as the actual
owner of the program. The most often set-uid mode programs are those which
require specialized, highly controlled access to data. Such programs include
vendor "database traffic" programs, and programs which users call to modify
critical personal systems data (such as the password modification routine).
Due to the heightened access of these types of programs (often the owner is
user "root"), it is wise to keep an eye on them; they should be few in
number, and remain static.
Checks are made to make sure that setuid programs are found in systems
directories. Certain applications, however, which do not have their binaries
loaded in a system directory may require that they have setuid mode. The
administrator should check the list for any anomalies such as files with
strange names, and files found in user's HOME directories.
Checks are also made for world writability of a setuid mode file. The danger
exists that an otherwise legitimate setuid program with world write
permissions could be replaced with a (e.g.) a Trojan horse type program,
which when executed could be the source of a major security hole. Before
changing any permissions, please check it's validity with (e.g.) the
software vendor from whom you purchased the software.
Keep up the Wizard Screen for reference while you access the File Search
Screen. Unless you know that all the files are on specific partitions,
select all partitions for searching. Enter the file names reported from the
Wizard Screen into the "Find Filenames like:" field, with a space between
each one. Request "Execute Search", and select the whole list.
Request "Stats" to look at the detailed information on each file. Note any
oddities, such as odd names or, an unknown user or group name; this
information might become useful later when tracing the source of errant
files.
If you come upon files that shouldn't have set-uid permission mode, then
request "Delete" or "chmod" against them.
1120
DEVICES NOT IN "/dev/"
UNIX device files are used as interfaces to the system hardware. By using
devices one can get access to (e.g.) the hard disk and kernel memory. Such
devices are required on the system but they should always be found in the
"/dev" directory with the appropriate protection mode. It is rare that a
device is required outside of the "/dev" directory and one outside this
directory is often a security breach.
Keep up the Wizard Screen for reference while you access the File Search
Screen. Find files of type "Block Special" and "Character Special", and Skip
Filenames like "/dev/*". The files found in the resulting search should be
carefully scrutinized. Try to determine who created them and for what
purpose. One might want to delete them or, change their ownership to root
and their permissions to 700.
On some UNIX 5.4 systems, such as SOLARIS 2.x, a secondary device directory
"/devices" exists. This directory, if on a UNIX 5.4 system, is considered to
be a legal repository for device files. Consequently, in the File Search,
filename like "/devices/*" should also be skipped.
1130
SYSTEM EXECUTABLES
UNIX requires a set of specialized programs that perform the bulk of the
system's maintenance and operation. These programs have access to extremely
sensitive areas of system data. Protecting these files from unauthorized
access is important to the health of the system.
Keep up the Wizard Screen for reference while you access the File Search
Screen. Unless you know that all the files are on specific partitions,
select all partitions for searching. Enter the file names reported from the
Wizard Screen into the "Find Filenames like:" field, with a space between
each one. Request "Execute Search", and select the whole list.
Request "Stats" to look at the detailed information on each file. Note any
oddities, such as an unknown user or group name, changes in size, and other
information. This information might become useful later when tracing the
source of errant files.
If you have not updated the operating system since the time of the basis
snapshot, and yet the File Stats Detail Screen shows alteration of any
critical system executable, then take action immediately. For changes in
permission or ownership, reset these files back to the original settings
using the Disk File Detail Screen. For changes in size, it might be wise to
rename the program for later study, replacing it with a known "pristine"
copy of the program.
1200
DOWN PRINTERS
Printers considered "Down" are those for which the printer queue is
currently disabled. A particular print queue being disabled might be a
desirable state, especially for the case of a printer with multiple print
queues that can handle only one paper tray, but requires different paper
depending on the type of print queue. This Wizard report is only an
indication that something might be wrong with the printer.
Keep up the Wizard Screen for reference while you access the Configure
option in the Printer menu. For those printers which you feel should be
active, select them and choose "Enable".
If a printer cannot be permanently enabled, check the physical printer and
its connections for problems.
1210
LONG PRINT QUEUES
Long printer queues occur for a variety of reasons, but are due in most
cases to either a disabled print queue or extremely long print jobs.
Keep up the Wizard Screen for reference while you access the Configure
option in the Printer menu. Check the status of those printers which the
Wizard check declared to have long queues.
For those print queues which are inactive ("Disabled"), select them and
request "Enable" (as long as you know that the queue is not sharing a
printer with another active but incompatible queue). If the printer does not
restart, check the physical printer and its connections.
For those print queues which are active ("Enabled"), select them and request
"Jobs" to view the queued print requests and determine if they are causing a
backup. For multiple large pending jobs, you can request "Move" to transfer
some pending jobs to another compatible print queue.
1220
LARGE PRINT JOBS
Large print jobs are common, but the question in a production environment is
really over when it is appropriate to actually print them. Bottlenecks to
many users' productivity can occur if just one user prints massive database
queries or images.
Keep up the Wizard Screen for reference while you access the Queue option in
the Printer menu. Choose print jobs you feel are inappropriate and either
"Cancel" them or "Move" them to other unburdened or disabled print queues
for later printing.
If a current job must finish, then you could instead select the reasonable
jobs and request "Move" to transfer them to another compatible, active print
queue. Inform the users of the move so they know where to obtain their
printouts.
1300
SERVERS UP
The Server test is accomplished by connecting to a common network-available
facility on the targeted hosts. If the connection is not accomplished, then
the server is considered "down". This might not actually be the case; the
server's daemon which enables the network connection might have died, and
may need to be restarted (this situation is improbable but still possible).
Try alternative methods to connect to the server, especially rlogin, rsh or
telnet. If these do not work, check the physical connections and the console
of the server itself.
1310
SWAP SPACE
UNIX requires "swap space" to temporarily house process information when
programs exceed the available memory resources of the system. The method of
storing this information, and its burden on the system, differs widely
between vendors. There are "rules of thumb" for estimating the resources
required, but only through experience can an administrator gain enough
knowledge to accurately configure a system. Results from exceeding swap
allocation can be difficult to trace; often recently started processes seem
to just disappear without warning. Using the Enlighten Wizard check, the
administrator can get some idea of allocation problems.
When swap space is reportedly low according to the Wizard test, request
"Process Status" from the User/Activity Monitor menu. (You can also request
either a User or System-TTY CPU Summary to review a smaller set of data).
Sort the resulting screen by descending memory usage. The result are the
most likely swap space hogs rising to the top of the list.
Check the list for commands (located at the far right) that are either
unnecessary or inappropriate (such as games). Select these processes and
request "Terminate" to free their resources.
Recheck the swap space through Wizard, and take further action as required.
1400
HOST ADDRESS CONFLICT
The hosts database, which contains a list of known hosts and their
associated IP addresses, has been tested for host names which are associated
with more than one IP address.
For host names which are found to have more than one IP address associated
with them, you must decide which address is the correct one. You can then
use the Host Configuration menu to modify the selected host entries. Either
modify the selected host entries to have the proper address, or copy the
correct address to each host which has an incorrect address.
Run the Enlighten Expert on a regular basis to check for host address
conflicts.
1410
HOST NAME CONFLICT
The hosts database, which contains a list of known hosts and their
associated IP addresses, has been tested for host IP addresses which are
associated with more than one host name.
For host IP addresses which are found to have more than one host name
associated with them, you must decide which host name is the correct one.
You can then use the Host Configuration menu to modify the selected host
entries. Either modify the selected host entries to have the proper name, or
copy the correct host name to each host which has an incorrect name.
Run the Enlighten Expert on a regular basis to check for host name
conflicts.
1420
HOST ALIAS CONFLICT
The hosts database, which contains a list of known hosts and their
associated IP addresses, has been tested for host aliases which are
associated with more than one host name.
For host aliases which are found to have more than one host name associated
with them, you must decide which host has the right to use the given alias.
You can then use the Host Configuration menu to modify the selected host
entries. For example, modify the selected host entries to have the proper
alias.
Run the Enlighten Expert on a regular basis to check for host alias
conflicts.