kuang uses rule based analysis to examine the current security configuration of a site and determine whether certain security problems exist.
kuang contains embedded rules that describe the projection model and some of the attacker tricks used on Unix systems. It uses these rules to reason backward from a desired goal (such as "grant u.root"), generating potential "attack" plans from the rules and file system state and then evaluating them to see whether they are reachable according to the state recorded in the password and group files and in the ownership and modes of the file systems.
By default, kuang uses "grant u.root" as its initial goal. You can change that by specifying a username (u.username) or groupname (g.groupname) on the command line. Normally kuang determines a plan to be successful if it determines that anyone (u.other) can become the initial goal.
The -v option causes kuang to print a message about every plan added to the evaluation list. This can help one to understand how kuang works. The -d option causes kuang to print a message when it evaluates a plan to determine whether to retain it and add onto it or ignore it. These options will often produce lots of output, beware.
Normally kuang only registers success when it finds that everyone on the system can become the target uid or gid. With the -l option, kuang will list every uid that can become the goal. This provides a more complete picture of the state of security - you might deem it a problem if several users can become root, even if the rest cannot.
One might adopt the view that each uid should only be accessible by itself and root, and that each gid should be accessible only by the members of that group and root. One can then compare the expected access list for a given uid or gid against the kuang generated list to find security problems that kuang wouldn't ordinarily tell you about.
The goals that kuang use seem cryptic, but are really pretty straightforward. Each goal consists of a list of <action> <object> pairs. Typical actions are grant, write and replace. Typical objects are user names (u.username), group names (g.groupname) and files names. The goal "grant u.root" means to have access to the root UID (0), in other words, to be able to run any program using that uid. Similarly, "grant g.staff" means to have access to group staff. The long goal "grant u.bill grant g.graphics replace /n/shoe/0/fred replace /n/shoe/0/fred/.profile grant u.fred grant g.staff" means become user bill, get access to the graphics group, replace the file /n/shoe/0/fred, replace /n/shoe/0/fred/.profile, become fred, grant access to the staff group. The problem that allows this to happen is that the /n/shoe/0 directory is writeable by the graphics group, meaning that anyone in that group can replace the .profile file for the fred user and gain access to that account and the groups it belongs to when fred next logs in. Ooops.
To do a thorough job, kuang really needs to be able to access all of the controlling files of all users. In some environments, home directories are located in NFS mounted file systems where the client doesn't have root access.
Problem is that some home directories may be protected so that group foo can read/write them, but OTHER can't. kuang running as some user not in group foo won't be able to read or search the directory, creating a blind spot that may hide security problems (for example, if group foo can write that user's .login and gain access to some other important priv...) Running kuang as root won't help unless we are running on the server that exports that file system, since root==nobody through NFS here. Of course, then you'll find other blind spots on other servers, meaning that you'll never be able to see a complete picture of how things are from any spot on the net. Running kuang on every machine might not even help, since the blind spots might prevent them from seeing viable paths to Success on any of the machines. Sigh.
Soooo we've added a -f option that causes kuang to preload owner, group and mode information for a list of files. Each line of the file should be of the form "type uid gid mode name". type is ignored by kuang. uid and gid are the user and group ID numbers, in decimal. mode is the permissions for the file, in octal. And name is the name of the file. We've also added a program called get-cf that can be run as root on a server to create a file of the above form for the control files for the user's with home directories on that server. Then you can run get-cf on every server as root, concatenate all the data together, and preload it into Perl. This will fix the shadow problems mentioned above and should also speed things up since you won't need to do all the file system references.
kuang -f file will use a DBM database in place of a text file if file.dir exists. To create a DBM database from a text file of the form described above, use kuang -f file -D. This will suck in the text file and create a DBM database from it and quit. This speeds up kuang's initialization somewhat, though it isn't clear that its worth doing unless you have a local disk for the DBM file.
This version of kuang is based on the shell script versions that Dan Farmer included with the COPS security package, which in turn were based on code written by Robert Baldwin himself.
You should read the other documentation that should come with this version and modify the rules in kuang to suite your site.
The rules should be extracted from the code so that they could be augmented in a site specific fashion more readily.
The system doesn't work correctly when multiple users in the password file share the same UID. In that event, it only checks plans for the first.