HardeningRedHat9 Evaluation
From Rivalug Wiki
This document is used in conjuction with HardeningRedHat9
Also see HardeningRedHat9_Evaluation
Contents |
Unhardened System
CIS Benchmark Score 1
Positive: 1.1 System appears to have been patched within the last month. Neutral: 1.2 Baseline Your System Before Making Changes (NOT SCORED) Negative: 1.3 sshd_config parameter Protocol is not set. Positive: 1.3 sshd_config parameter PermitRootLogin has default negative value. Negative: 1.3 sshd_config parameter Banner is not set. Negative: 1.3 ssh_config must have 'Protocol 2' underneath Host *. Negative: 1.4 sysstat system accounting package is NOT installed. Negative: 1.5 Bastille Linux package is NOT installed. Positive: 2.1 inetd/xinetd is not listening on any of the miscellaneous ports checked in this item. Positive: 2.2 IPTables firewall is installed. Positive: 2.3 telnet is deactivated. Positive: 2.4 ftp is deactivated. Positive: 2.5 rsh, rcp and rlogin are deactivated. Positive: 2.6 tftp is deactivated. Positive: 2.7 imap is deactivated. Note: 3.1 Bad or no umask set in /etc/rc.d/init.d/functions -- checking first init script now. Negative: 3.1 umask not found in first /etc/rcX.d script /etc/rc3.d/S05kudzu. Positive: 3.2 inetd has been deactivated. Positive: 3.3 Mail daemon is not listening on TCP 25. Positive: 3.4 Graphical login is deactivated. Positive: 3.5 X Font Server (xfs) script has been deactivated Negative: 3.6 Misc. Boot Services -- apmd not deactivated. Negative: 3.6 Misc. Boot Services -- gpm not deactivated. Negative: 3.6 Misc. Boot Services -- isdn not deactivated. Positive: 3.7 Windows compatibility servers (samba) have been deactivated. Positive: 3.8 NFS Server script nfs is deactivated. Negative: 3.9 NFS script nfslock not deactivated. Negative: 3.9 NFS script autofs not deactivated. Positive: 3.10 NIS Client processes are deactivated. Positive: 3.11 NIS Server processes are deactivated. Negative: 3.12 RPC rc-script (portmap) has not been deactivated. Negative: 3.13 netfs rc script not deactivated. Positive: 3.14 printing daemon is deactivated. Positive: 3.15 Web server is deactivated. Positive: 3.16 SNMP daemon is deactivated. Positive: 3.17 DNS server is deactivated. Positive: 3.18 SQL database server is deactivated. Positive: 3.19 Webmin GUI-based system administration daemon deactivated. Positive: 3.20 Squid web cache daemon deactivated. Negative: 3.21 Kudzu hardware detection program has not been deactivated. Negative: 4.1 sysctl net.ipv4.conf.default.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.rp_filter=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.icmp_echo_ignore_broadcasts=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.all.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_source_route=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_syncookies=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_max_syn_backlog=256 and should be >= 4096. Negative: 4.2 sysctl net.ipv4.conf.all.send_redirects=1 and should be '0'. Negative: 4.2 sysctl net.ipv4.conf.default.send_redirects=1 and should be '0'. Negative: 4.2 /etc/sysctl.conf should not be world or group readable. Positive: 5.1 syslog captures authpriv messages. Positive: 5.2 FTP server is configured to do full logging. Positive: 5.3 All logfile permissions and owners match benchmark recommendations. Negative: 6.1 /usr is not mounted nodev. Negative: 6.1 /home is not mounted nodev. Negative: 6.1 /boot is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nodev. Negative: 6.3 PAM allows users to mount removable media: <floppy>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <cdrom>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <pilot>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <jaz>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <zip>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <ls120>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <camera>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <memstick>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <flash>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <diskonkey>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rem_ide>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rio500>. (/etc/security/console.perms) Positive: 6.4 password and group files have right permissions and owners. Positive: 6.5 all temporary directories have sticky bits set. Negative: 6.9 The hotplug package is installed. Negative: 6.9 The kernel-pcmcia-cs package is installed. Positive: 7.1 rhosts authentication totally deactivated in PAM. Positive: 7.2 FTP daemons do not permit system users to use FTP. Positive: 7.3 X11 Server is not running or is not listening on TCP port 6000. Negative: 7.4 Couldn't open cron.allow Negative: 7.4 Couldn't open at.allow Negative: 7.5 The permissions on /etc/crontab are not sufficiently restrictive. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty7. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty8. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty9. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty10. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty11. Negative: 7.8 GRUB isn't password-protected. Negative: 7.9 /etc/inittab needs a /sbin/sulogin line for single user mode. Positive: 7.10 /etc/exports is empty or doesn't exist, so it doesn't need to be tuned for privports. Positive: 7.11 System is running syslogd without the -r switch, and is NOT accepting remote logging. Negative: 8.1 bin has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 adm has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 lp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mail has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 news has a valid shell of /bin/sh. Remember, an empty shell field in /etc/passwd signifies /bin/sh. Negative: 8.1 uucp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 operator has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 games has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 gopher has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 ftp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 nobody has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpm has a valid shell of /bin/bash. Negative: 8.1 vcsa has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 nscd has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 sshd has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpc has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpcuser has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mailnull has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 smmsp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 pcap has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Positive: 8.2 All users have passwords Negative: 8.3 /etc/login.defs value PASS_MAX_DAYS = 99999, but should not exceed 90. Negative: 8.3 /etc/login.defs value PASS_MIN_DAYS = 0, but should not be less than 7. Negative: 8.3 /etc/login.defs value PASS_MIN_LEN = 5, but should be at least 6. Positive: 8.4 There were no +: entries in passwd, shadow or group maps. Positive: 8.5 Only one UID 0 account AND it is named root. Positive: 8.6 root's PATH is clean of group/world writable directories or the current-directory link. Positive: 8.7 No user's home directory is world or group writable. Positive: 8.8 No group or world-writable dotfiles in user home directories! Positive: 8.9 No user has a .netrc file. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block group-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block group-read/write/execute. Negative: 8.11 Coredumps aren't deactivated. Positive: 8.12 The standard compiler packages are not installed. Negative: 8.13 Pam /etc/pam.d/su does not require wheel group for su access. Neutral: 8.14 reboot -- not scored :-) Negative: 9.1 /etc/motd doesn't contain an authorized usage only banner. Negative: 9.1 /etc/issue doesn't contain an authorized usage only banner. Positive: 9.2 No GUI config files found, Authorized Usage banners not required. Positive: 9.3 No FTP config files found, Authorized Usage banners not required. Preliminary rating given at time: Sun Feb 6 05:12:20 2005
Preliminary rating = 6.06 / 10.00
Positive: 6.6 No non-standard world-writable files. Positive: 6.7 No non-standard SUID/SGID programs found.
Final rating = 6.25 / 10.00
Services 1
/sbin/chkconfig --list | sort
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off yum 0:off 1:off 2:off 3:off 4:off 5:off 6:off
Processes 1
/bin/ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 3 0.0 0.0 0 0 ? SW 13:18 0:00 [migration/1] root 2 0.0 0.0 0 0 ? SW 13:18 0:00 [migration/0] root 1 0.0 0.1 1372 136 ? S 13:18 0:04 init root 4 0.0 0.0 0 0 ? SW 13:18 0:00 [keventd] root 5 0.0 0.0 0 0 ? SWN 13:18 0:00 [ksoftirqd_CPU0] root 6 0.0 0.0 0 0 ? SWN 13:18 0:00 [ksoftirqd_CPU1] root 11 0.0 0.0 0 0 ? SW 13:18 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 13:18 0:04 [kswapd] root 8 0.0 0.0 0 0 ? SW 13:18 0:00 [kscand/DMA] root 9 0.0 0.0 0 0 ? SW 13:18 0:03 [kscand/Normal] root 10 0.0 0.0 0 0 ? SW 13:18 0:00 [kscand/HighMem] root 12 0.0 0.0 0 0 ? SW 13:18 0:00 [kupdated] root 13 0.0 0.0 0 0 ? SW 13:18 0:00 [mdrecoveryd] root 19 0.0 0.0 0 0 ? SW 13:18 0:00 [scsi_eh_0] root 22 0.0 0.0 0 0 ? SW 13:18 0:00 [kjournald] root 80 0.0 0.0 0 0 ? SW 13:19 0:00 [khubd] root 154 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 155 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 156 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 157 0.0 0.0 0 0 ? SW 13:19 0:00 [kjournald] root 439 0.0 0.1 1440 156 ? S 13:19 0:00 syslogd -m 0 root 443 0.0 0.0 1364 4 ? S 13:19 0:00 klogd -x rpc 461 0.0 0.0 1540 0 ? SW 13:19 0:00 [portmap] rpcuser 480 0.0 0.0 1524 0 ? SW 13:19 0:00 [rpc.statd] root 612 0.0 0.3 5916 392 ? S 13:19 0:00 [sendmail] smmsp 621 0.0 0.2 5712 312 ? S 13:19 0:00 [sendmail] root 631 0.0 0.0 1408 4 ? S 13:19 0:00 gpm -t ps/2 -m /dev/mouse root 640 0.0 0.1 1420 132 ? S 13:19 0:00 crond daemon 658 0.0 0.1 1408 160 ? S 13:19 0:00 [atd] root 667 0.0 0.0 1352 4 tty2 S 13:19 0:00 /sbin/mingetty tty2 root 668 0.0 0.0 1352 4 tty3 S 13:19 0:00 /sbin/mingetty tty3 root 669 0.0 0.0 1344 4 tty4 S 13:19 0:00 /sbin/mingetty tty4 root 670 0.0 0.0 1344 4 tty5 S 13:19 0:00 /sbin/mingetty tty5 root 671 0.0 0.0 1344 4 tty6 S 13:19 0:00 /sbin/mingetty tty6 root 1048 0.0 0.2 3500 364 ? S 13:36 0:00 /usr/sbin/sshd root 6940 0.0 0.6 6744 796 ? S 14:31 0:00 \_ /usr/sbin/sshd joeuser 6942 0.0 0.8 6784 1100 ? S 14:31 0:01 \_ [sshd] joeuser 6943 0.0 1.0 4292 1264 pts/0 S 14:31 0:00 \_ -bash root 6986 0.0 0.5 4092 716 pts/0 S 14:41 0:00 \_ [su] root 6987 0.0 1.0 4304 1328 pts/0 S 14:41 0:02 \_ -bash root 7132 0.0 0.5 2616 668 pts/0 R 15:24 0:00 \_ ps faux root 6980 0.0 0.3 1348 388 tty1 S 14:32 0:00 /sbin/mingetty tty1
Disk Usage 1
/bin/df -h
Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 120M 812M 13% / /dev/hda2 99M 15M 79M 16% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 343M 215M 62% /usr /dev/hda6 373M 120M 234M 34% /var
Network Connections 1
/bin/netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:1024 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 hard9:smtp *:* LISTEN tcp 0 128 192.168.0.1:ssh 192.168.0.2:38569 ESTABLISHED udp 0 0 *:1024 *:* udp 0 0 *:710 *:* udp 0 0 *:sunrpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 8 [ ] DGRAM 1020 /dev/log unix 2 [ ACC ] STREAM LISTENING 1383 /dev/gpmctl unix 2 [ ] DGRAM 1417 unix 2 [ ] DGRAM 1400 unix 2 [ ] DGRAM 1365 unix 2 [ ] DGRAM 1351 unix 2 [ ] DGRAM 1081 unix 2 [ ] DGRAM 1028
Open Files 1
/usr/sbin/lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init 1 root cwd DIR 3,3 4096 2 / init 1 root rtd DIR 3,3 4096 2 / init 1 root txt REG 3,3 27036 32161 /sbin/init init 1 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so init 1 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so init 1 root 10u FIFO 3,3 71382 /dev/initctl migration 2 root cwd DIR 3,3 4096 2 / migration 2 root rtd DIR 3,3 4096 2 / migration 2 root 10u FIFO 3,3 71382 /dev/initctl migration 3 root cwd DIR 3,3 4096 2 / migration 3 root rtd DIR 3,3 4096 2 / migration 3 root 10u FIFO 3,3 71382 /dev/initctl keventd 4 root cwd DIR 3,3 4096 2 / keventd 4 root rtd DIR 3,3 4096 2 / keventd 4 root 10u FIFO 3,3 71382 /dev/initctl ksoftirqd 5 root cwd DIR 3,3 4096 2 / ksoftirqd 5 root rtd DIR 3,3 4096 2 / ksoftirqd 5 root 10u FIFO 3,3 71382 /dev/initctl ksoftirqd 6 root cwd DIR 3,3 4096 2 / ksoftirqd 6 root rtd DIR 3,3 4096 2 / ksoftirqd 6 root 10u FIFO 3,3 71382 /dev/initctl kswapd 7 root cwd DIR 3,3 4096 2 / kswapd 7 root rtd DIR 3,3 4096 2 / kswapd 7 root 10u FIFO 3,3 71382 /dev/initctl kscand/DM 8 root cwd DIR 3,3 4096 2 / kscand/DM 8 root rtd DIR 3,3 4096 2 / kscand/DM 8 root 10u FIFO 3,3 71382 /dev/initctl kscand/No 9 root cwd DIR 3,3 4096 2 / kscand/No 9 root rtd DIR 3,3 4096 2 / kscand/No 9 root 10u FIFO 3,3 71382 /dev/initctl kscand/Hi 10 root cwd DIR 3,3 4096 2 / kscand/Hi 10 root rtd DIR 3,3 4096 2 / kscand/Hi 10 root 10u FIFO 3,3 71382 /dev/initctl bdflush 11 root cwd DIR 3,3 4096 2 / bdflush 11 root rtd DIR 3,3 4096 2 / bdflush 11 root 10u FIFO 3,3 71382 /dev/initctl kupdated 12 root cwd DIR 3,3 4096 2 / kupdated 12 root rtd DIR 3,3 4096 2 / kupdated 12 root 10u FIFO 3,3 71382 /dev/initctl mdrecover 13 root cwd DIR 3,3 4096 2 / mdrecover 13 root rtd DIR 3,3 4096 2 / mdrecover 13 root 10u FIFO 3,3 71382 /dev/initctl scsi_eh_0 19 root cwd DIR 3,3 4096 2 / scsi_eh_0 19 root rtd DIR 3,3 4096 2 / scsi_eh_0 19 root 10u FIFO 3,3 71382 /dev/initctl kjournald 22 root cwd DIR 3,3 4096 2 / kjournald 22 root rtd DIR 3,3 4096 2 / kjournald 22 root 10u FIFO 3,3 71382 /dev/initctl khubd 80 root cwd DIR 3,3 4096 2 / khubd 80 root rtd DIR 3,3 4096 2 / khubd 80 root 10u FIFO 3,3 71382 /dev/initctl kjournald 153 root cwd DIR 3,3 4096 2 / kjournald 153 root rtd DIR 3,3 4096 2 / kjournald 153 root 10u FIFO 3,3 71382 /dev/initctl kjournald 154 root cwd DIR 3,3 4096 2 / kjournald 154 root rtd DIR 3,3 4096 2 / kjournald 154 root 10u FIFO 3,3 71382 /dev/initctl kjournald 155 root cwd DIR 3,3 4096 2 / kjournald 155 root rtd DIR 3,3 4096 2 / kjournald 155 root 10u FIFO 3,3 71382 /dev/initctl syslogd 493 root cwd DIR 3,3 4096 2 / syslogd 493 root rtd DIR 3,3 4096 2 / syslogd 493 root txt REG 3,3 27424 32159 /sbin/syslogd syslogd 493 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so syslogd 493 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so syslogd 493 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so syslogd 493 root 0u unix 0xc5333080 1020 /dev/log syslogd 493 root 1w REG 3,3 18213 20421 /var/log/messages syslogd 493 root 2w REG 3,3 166 20422 /var/log/secure syslogd 493 root 3w REG 3,3 349 20423 /var/log/maillog syslogd 493 root 4w REG 3,3 499 20528 /var/log/cron syslogd 493 root 5w REG 3,3 0 20424 /var/log/spooler syslogd 493 root 6w REG 3,3 1942 20529 /var/log/boot.log klogd 497 root cwd DIR 3,3 4096 2 / klogd 497 root rtd DIR 3,3 4096 2 / klogd 497 root txt REG 3,3 22332 32158 /sbin/klogd klogd 497 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so klogd 497 root root cwd DIR 3,3 4096 tls/libc-2.3.2.so klogd 497 root 0r REG 4096 2 / kswapd 7 root 10u 497 root 1u unix 0xc5333a80 1028 socket portmap 515 rpc cwd DIR 3,3 4096 2 / portmap 515 rpc rtd DIR 3,3 4096 2 / portmap 515 rpc txt REG 3,3 12476 32726 /sbin/portmap portmap 515 rpc mem REG 3,3 103044 31951 /lib/ld-2.3.2.so portmap 515 rpc mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 portmap 515 rpc mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so portmap 515 rpc mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so portmap 515 rpc mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so portmap 515 rpc 0u CHR 1,3 65398 /dev/null portmap 515 rpc 1u CHR 1,3 65398 /dev/null portmap 515 rpc 2u CHR 1,3 65398 /dev/null portmap 515 rpc 3u IPv4 1056 UDP *:sunrpc portmap 515 rpc 4u IPv4 1059 TCP *:sunrpc (LISTEN) rpc.statd 534 rpcuser cwd DIR 3,3 4096 112232 /var/lib/nfs/statd rpc.statd 534 rpcuser rtd DIR 3,3 4096 2 / rpc.statd 534 rpcuser txt REG 3,3 30808 32728 /sbin/rpc.statd rpc.statd 534 rpcuser mem REG 3,3 103044 31951 /lib/ld-2.3.2.so rpc.statd 534 rpcuser mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so rpc.statd 534 rpcuser mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so rpc.statd 534 rpcuser mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so rpc.statd 534 rpcuser 0u CHR 1,3 65398 /dev/null rpc.statd 534 rpcuser 1u CHR 1,3 65398 /dev/null rpc.statd 534 rpcuser 2u CHR 1,3 65398 /dev/null rpc.statd 534 rpcuser 3u unix 0xc7ca5080 1081 socket rpc.statd 534 rpcuser 4u IPv4 1095 UDP *:1024 rpc.statd 534 rpcuser 5u IPv4 1084 UDP *:710 rpc.statd 534 rpcuser 6u IPv4 1098 TCP *:1024 (LISTEN) sshd 642 root cwd DIR 3,3 4096 2 / sshd 642 root rtd DIR 3,3 4096 2 / sshd 642 root txt REG 3,5 278552 33957 /usr/sbin/sshd sshd 642 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so sshd 642 root mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sshd 642 root mem REG 3,3 30448 32147 /lib/libpam.so.0.75 sshd 642 root mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so sshd 642 root mem REG 3,3 76552 31982 /lib/libresolv-2.3.2.so sshd 642 root mem REG 3,3 12696 31988 /lib/libutil-2.3.2.so sshd 642 root mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sshd 642 root mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so sshd 642 root mem REG 3,3 968956 32123 /lib/libcrypto.so.0.9.7a sshd 642 root mem REG 3,5 385220 62496 /usr/kerberos/lib/libkrb5.so.3.1 sshd 642 root mem REG 3,5 63880 62486 /usr/kerberos/lib/libk5crypto.so.3.0 sshd 642 root mem REG 3,5 5572 62476 /usr/kerberos/lib/libcom_err.so.3.0 sshd 642 root mem REG 3,5 73756 62482 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sshd 642 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so sshd 642 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so sshd 642 root 0u CHR 1,3 65398 /dev/null sshd 642 root 1u CHR 1,3 65398 /dev/null sshd 642 root 2u CHR 1,3 65398 /dev/null sshd 642 root 3u IPv4 1294 TCP *:ssh (LISTEN) sendmail 666 root cwd DIR 3,3 4096 112250 /var/spool/mqueue sendmail 666 root rtd DIR 3,3 4096 2 / sendmail 666 root txt REG 3,5 3859419 33988 /usr/sbin/sendmail.sendmail sendmail 666 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so sendmail 666 root mem REG 3,5 5936 47796 /usr/lib/sasl/libanonymous.so.1.0.17 sendmail 666 root mem REG 3,3 5512945 31993 /lib/libdb-4.0.so sendmail 666 root mem REG 3,3 76552 31982 /lib/libresolv-2.3.2.so sendmail 666 root mem REG 3,3 23668 31960 /lib/libcrypt-2.3.2.so sendmail 666 root mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so sendmail 666 root mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sendmail 666 root mem REG 3,5 176592 32663 /usr/lib/libldap.so.2.0.17 sendmail 666 root mem REG 3,5 39960 32661 /usr/lib/liblber.so.2.0.17 sendmail 666 root mem REG 3,5 43612 32651 /usr/lib/libsasl.so.7.1.11 sendmail 666 root mem REG 3,3 216004 32124 /lib/libssl.so.0.9.7a sendmail 666 root mem REG 3,3 968956 32123 /lib/libcrypto.so.0.9.7a sendmail 666 root mem REG 3,5 14120 32814 /usr/lib/libhesiod.so.0 sendmail 666 root mem REG 3,5 22504 31397 /usr/lib/libgdbm.so.2.0.0 sendmail 666 root mem REG 3,3 79744 95828 /lib/tls/libpthread-0.29.so sendmail 666 root mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so sendmail 666 root mem REG 3,3 30448 32147 /lib/libpam.so.0.75 sendmail 666 root mem REG 3,5 73756 62482 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sendmail 666 root mem REG 3,5 385220 62496 /usr/kerberos/lib/libkrb5.so.3.1 sendmail 666 root mem REG 3,5 63880 62486 /usr/kerberos/lib/libk5crypto.so.3.0 sendmail 666 root mem REG 3,5 5572 62476 /usr/kerberos/lib/libcom_err.so.3.0 sendmail 666 root mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sendmail 666 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so sendmail 666 root mem REG 3,5 11012 47809 /usr/lib/sasl/libcrammd5.so.1.0.19 sendmail 666 root mem REG 3,5 30728 47813 /usr/lib/sasl/libdigestmd5.so.0.0.20 sendmail 666 root mem REG 3,5 8212 47938 /usr/lib/sasl/liblogin.so.0.0.7 sendmail 666 root mem REG 3,5 11844 62478 /usr/kerberos/lib/libdes425.so.3.0 sendmail 666 root mem REG 3,5 7900 47942 /usr/lib/sasl/libplain.so.1.0.16 sendmail 666 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so sendmail 666 root 0r CHR 1,3 65398 /dev/null sendmail 666 root 1w CHR 1,3 65398 /dev/null sendmail 666 root 2w CHR 1,3 65398 /dev/null sendmail 666 root 3u unix 0xc65a5080 1351 socket sendmail 666 root 4u IPv4 1352 TCP hard9:smtp (LISTEN) sendmail 675 smmsp cwd DIR 3,3 4096 112249 /var/spool/clientmqueue sendmail 675 smmsp rtd DIR 3,3 4096 2 / sendmail 675 smmsp txt REG 3,5 3859419 33988 /usr/sbin/sendmail.sendmail sendmail 675 smmsp mem REG 3,3 103044 31951 /lib/ld-2.3.2.so sendmail 675 smmsp mem REG 3,3 5512945 31993 /lib/libdb-4.0.so sendmail 675 smmsp mem REG 3,3 76552 31982 /lib/libresolv-2.3.2.so sendmail 675 smmsp mem REG 3,3 23668 31960 /lib/libcrypt-2.3.2.so sendmail 675 smmsp mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so sendmail 675 smmsp mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sendmail 675 smmsp mem REG 3,5 176592 32663 /usr/lib/libldap.so.2.0.17 sendmail 675 smmsp mem REG 3,5 39960 32661 /usr/lib/liblber.so.2.0.17 sendmail 675 smmsp mem REG 3,5 43612 32651 /usr/lib/libsasl.so.7.1.11 sendmail 675 smmsp mem REG 3,3 216004 32124 /lib/libssl.so.0.9.7a sendmail 675 smmsp mem REG 3,3 968956 32123 /lib/libcrypto.so.0.9.7a sendmail 675 smmsp mem REG 3,5 14120 32814 /usr/lib/libhesiod.so.0 sendmail 675 smmsp mem REG 3,5 22504 31397 /usr/lib/libgdbm.so.2.0.0 sendmail 675 smmsp mem REG 3,3 79744 95828 /lib/tls/libpthread-0.29.so sendmail 675 smmsp mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so sendmail 675 smmsp mem REG 3,3 30448 32147 /lib/libpam.so.0.75 sendmail 675 smmsp mem REG 3,5 73756 62482 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sendmail 675 smmsp mem REG 3,5 385220 62496 /usr/kerberos/lib/libkrb5.so.3.1 sendmail 675 smmsp mem REG 3,5 63880 62486 /usr/kerberos/lib/libk5crypto.so.3.0 sendmail 675 smmsp mem REG 3,5 5572 62476 /usr/kerberos/lib/libcom_err.so.3.0 sendmail 675 smmsp mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sendmail 675 smmsp mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so sendmail 675 smmsp mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so sendmail 675 smmsp 0r CHR 1,3 65398 /dev/null sendmail 675 smmsp 1w CHR 1,3 65398 /dev/null sendmail 675 smmsp 2w CHR 1,3 65398 /dev/null sendmail 675 smmsp 3u unix 0xc58a6080 1365 socket gpm 685 root cwd DIR 3,3 4096 2 / gpm 685 root rtd DIR 3,3 4096 2 / gpm 685 root txt REG 3,5 63292 32812 /usr/sbin/gpm gpm 685 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so gpm 685 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so gpm 685 root 0w CHR 5,1 63962 /dev/console gpm 685 root 1u REG 3,3 4 98680 /var/run/gpmw76u2a (deleted) gpm 685 root 2u CHR 10,1 65518 /dev/psaux gpm 685 root 3u unix 0xc58a6580 1383 /dev/gpmctl crond 694 root cwd DIR 3,3 4096 95821 /var/spool crond 694 root rtd DIR 3,3 4096 2 / crond 694 root txt REG 3,5 23228 34034 /usr/sbin/crond crond 694 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so crond 694 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so crond 694 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so crond 694 root 0u CHR 5,1 63962 /dev/console crond 694 root 1w FIFO 0,5 1396 pipe crond 694 root 2w FIFO 0,5 1397 pipe crond 694 root 3u REG 3,3 4 98682 /var/run/crond.pid crond 694 root 4u unix 0xc5bfb080 1400 socket anacron 703 root cwd DIR 3,3 4096 112269 /var/spool/anacron anacron 703 root rtd DIR 3,3 4096 2 / anacron 703 root txt REG 3,5 21024 34036 /usr/sbin/anacron anacron 703 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so anacron 703 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so anacron 703 root 0r CHR 1,3 65398 /dev/null anacron 703 root 1w CHR 1,3 65398 /dev/null anacron 703 root 2w CHR 1,3 65398 /dev/null anacron 703 root 3u unix 0xc5c60a80 1417 socket anacron 703 root 4uW REG 3,3 0 112276 /var/spool/anacron/cron.daily anacron 703 root 5uW REG 3,3 0 112277 /var/spool/anacron/cron.weekly anacron 703 root 6uW REG 3,3 0 112278 /var/spool/anacron/cron.monthly atd 712 daemon cwd DIR 3,3 4096 112064 /var/spool/at atd 712 daemon rtd DIR 3,3 4096 2 / atd 712 daemon txt REG 3,5 14928 32749 /usr/sbin/atd atd 712 daemon mem REG 3,3 103044 31951 /lib/ld-2.3.2.so atd 712 daemon mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so atd 712 daemon mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so atd 712 daemon 0u CHR 1,3 65398 /dev/null atd 712 daemon 1u CHR 1,3 65398 /dev/null atd 712 daemon 2u CHR 1,3 65398 /dev/null atd 712 daemon 3uW REG 3,3 4 98685 /var/run/atd.pid minge REG 3,5 63880 62486 /usr/ke 4096 2 / mingetty 721 root rtd DIR 3,3 4096 2 / mingetty 721 root txt REG 3,3 8608 32025 /sbin/mingetty mingetty 721 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so mingetty 721 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so mingetty 721 root 0u CHR 4,2 70199 /dev/tty2 mingetty 721 root 1u CHR 4,2 70199 /dev/tty2 mingetty 721 root 2u CHR 4,2 70199 /dev/tty2 mingetty 722 root cwd DIR 3,3 4096 2 / mingetty 722 root rtd DIR 3,3 4096 2 / mingetty 722 root txt REG 3,3 8608 32025 /sbin/mingetty mingetty 722 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so mingetty 722 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so mingetty 722 root 0u CHR 4,3 70210 /dev/tty3 mingetty 722 root 1u CHR 4,3 70210 /dev/tty3 mingetty 722 root 2u CHR 4,3 70210 /dev/tty3 mingetty 723 root cwd DIR 3,3 4096 2 / mingetty 723 root rtd DIR 3,3 4096 2 / mingetty 723 root txt REG 3,3 8608 32025 /sbin/mingetty mingetty 723 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so mingetty 723 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so mingetty 723 root 0u CHR 4,4 70213 /dev/tty4 mingetty 723 root 1u CHR 4,4 70213 /dev/tty4 mingetty 723 root 2u CHR 4,4 70213 /dev/tty4 mingetty 724 root cwd DIR 3,3 4096 2 / mingetty 724 root rtd DIR 3,3 4096 2 / mingetty 724 root txt REG 3,3 8608 32025 /sbin/mingetty mingetty 724 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so mingetty 724 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so mingetty 724 root 0u CHR 4,5 70214 /dev/tty5 mingetty 724 root 1u CHR 4,5 70214 /dev/tty5 mingetty 724 root 2u CHR 4,5 70214 /dev/tty5 mingetty 725 root cwd DIR 3,3 4096 2 / mingetty 725 root rtd DIR 3,3 4096 2 / mingetty 725 root txt REG 3,3 8608 32025 /sbin/mingetty mingetty 725 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so mingetty 725 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so mingetty 725 root 0u CHR 4,6 70215 /dev/tty6 mingetty 725 root 1u CHR 4,6 70215 /dev/tty6 mingetty 725 root 2u CHR 4,6 70215 /dev/tty6 bash 726 root cwd DIR 3,3 4096 15970 /etc/sysconfig/network-scripts bash 726 root rtd DIR 3,3 4096 2 / bash 726 root txt REG 3,3 626028 16003 /bin/bash bash 726 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so bash 726 root mem REG 3,3 11784 32041 /lib/libtermcap.so.2.0.8 bash 726 root mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so bash 726 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so bash 726 root mem REG 3,5 30301680 46574 /usr/lib/locale/locale-archive bash 726 root mem REG 3,5 21040 46782 /usr/lib/gconv/gconv-modules.cache bash 726 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so bash 726 root 0u CHR 4,1 70188 /dev/tty1 bash 726 root 1u CHR 4,1 70188 /dev/tty1 bash 726 root 2u CHR 4,1 70188 /dev/tty1 bash 726 root 255u CHR 4,1 70188 /dev/tty1 sshd 1090 root cwd DIR 3,3 4096 2 / sshd 1090 root rtd DIR 3,3 4096 REG 3,3 103044 root txt REG 3,5 278552 33957 /usr/sbin/sshd sshd 1090 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so sshd 1090 root mem REG 3,3 4856 50187 /lib/security/pam_nologin.so sshd 1090 root mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sshd 1090 root mem REG 3,3 30448 32147 /lib/libpam.so.0.75 sshd 1090 root mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so sshd 1090 root mem REG 3,3 76552 31982 /lib/libresolv-2.3.2.so sshd 1090 root mem REG 3,3 12696 31988 /lib/libutil-2.3.2.so sshd 1090 root mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sshd 1090 root mem REG 3,3 91604 31966 /lib/libnsl-2.3.2.so sshd 1090 root mem REG 3,3 968956 32123 /lib/libcrypto.so.0.9.7a sshd 1090 root mem REG 3,5 385220 62496 /usr/kerberos/lib/libkrb5.so.3.1 sshd 1090 root mem REG 3,5 63880 62486 /usr/kerberos/lib/libk5crypto.so.3.0 sshd 1090 root mem REG 3,5 5572 62476 /usr/kerberos/lib/libcom_err.so.3.0 sshd 1090 root mem REG 3,5 73756 62482 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sshd 1090 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so sshd 1090 root mem CHR 1,5 71377 /dev/zero sshd 1090 root mem REG 3,3 11132 50194 /lib/security/pam_stack.so sshd 1090 root mem REG 3,3 12324 50181 /lib/security/pam_limits.so sshd 1090 root mem REG 3,3 47584 50170 /lib/security/pam_console.so sshd 1090 root mem REG 3,3 3404 50172 /lib/security/pam_deny.so sshd 1090 root mem REG 3,5 150624 31399 /usr/lib/libglib-1.2.so.0.0.10 sshd 1090 root mem REG 3,3 18416 31970 /lib/libnss_dns-2.3.2.so sshd 1090 root mem REG 3,3 11592 50173 /lib/security/pam_env.so sshd 1090 root mem REG 3,3 48544 50199 /lib/security/pam_unix.so sshd 1090 root mem REG 3,3 23668 31960 /lib/libcrypt-2.3.2.so sshd 1090 root mem REG 3,3 12964 50171 /lib/security/pam_cracklib.so sshd 1090 root mem REG 3,5 27596 31384 /usr/lib/libcrack.so.2.7 sshd 1090 root mem CHR 1,5 71377 /dev/zero sshd 1090 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so sshd 1090 root 0u CHR 1,3 65398 /dev/null sshd 1090 root 1u CHR 1,3 65398 /dev/null sshd 1090 root 2u CHR 1,3 65398 /dev/null sshd 1090 root 3r FIFO 0,5 1862 pipe sshd 1090 root 4u IPv4 1851 TCP 192.168.0.1:ssh->192.168.0.2:38569 (ESTABLISHED) sshd 1090 root 5w FIFO 0,5 1862 pipe sshd 1090 root 6u CHR 5,2 65536 /dev/ptmx sshd 1090 root 7u CHR 5,2 65536 /dev/ptmx sshd 1090 root 8u CHR 5,2 65536 /dev/ptmx bash 1092 root cwd DIR 3,3 4096 32745 /root/CIS/linux bash 1092 root rtd DIR 3,3 4096 2 / bash 1092 root txt REG 3,3 626028 16003 /bin/bash bash 1092 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so bash 1092 root mem REG 3,3 11784 32041 /lib/libtermcap.so.2.0.8 bash 1092 root mem REG 3,3 15084 31962 /lib/libdl-2.3.2.so bash 1092 root mem REG 3,3 52472 31972 /lib/libnss_files-2.3.2.so bash 1092 root mem REG 3,5 30301680 46574 /usr/lib/locale/locale-archive bash 1092 root mem REG 3,5 21040 46782 /usr/lib/gconv/gconv-modules.cache bash 1092 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so bash 1092 root 0u CHR 136,0 2 /dev/pts/0 bash 1092 root 1u CHR 136,0 2 /dev/pts/0 bash 1092 root 2u CHR 136,0 2 /dev/pts/0 bash 1092 root 255u CHR 136,0 2 /dev/pts/0 lsof 1294 root cwd DIR 3,3 4096 32745 /root/CIS/linux lsof 1294 root rtd DIR 3,3 4096 2 / lsof 1294 root txt REG 3,5 95640 32894 /usr/sbin/lsof lsof 1294 root mem REG 3,3 103044 31951 /lib/ld-2.3.2.so lsof 1294 root mem REG 3,5 30301680 46574 /usr/lib/locale/locale-archive lsof 1294 root mem REG 3,5 21040 46782 /usr/lib/gconv/gconv-modules.cache lsof 1294 root mem REG 3,3 1531064 95824 /lib/tls/libc-2.3.2.so lsof 1294 root 0u CHR 136,0 2 /dev/pts/0 lsof 1294 root 1u CHR 136,0 2 /dev/pts/0 lsof 1294 root 2u CHR 136,0 2 /dev/pts/0 lsof 1294 root 3r DIR 0,2 0 1 /proc lsof 1294 root 4r DIR 0,2 0 84803592 /proc/1294/fd
Firewall 1
/sbin/iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Lokkit-0-50-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain RH-Lokkit-0-50-INPUT (2 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN ACCEPT all -- anywhere anywhere ACCEPT udp -- 192.168.5.254 anywhere udp spt:domain ACCEPT udp -- dns01.cavtel.net anywhere udp spt:domain ACCEPT udp -- phobos.vcu.edu anywhere udp spt:domain REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable REJECT udp -- anywhere anywhere udp reject-with icmp-port-unreachable
Vulnerability Scan 1
nessus against iptables running 1
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1 - Number of security holes found : 1 - Number of security warnings found : 4 - Number of security notes found : 6
TESTED HOSTS
192.168.0.2 (Security holes found)
DETAILS + 192.168.0.2 :
. List of open ports : o ssh (22/tcp) (Security hole found) o general/tcp (Security warnings found) o general/icmp (Security warnings found) o general/udp (Security notes found)
. Vulnerability found on port ssh (22/tcp) : You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on
this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also :
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
. Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (ie: *.mynetwork.com would let a user connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out Risk factor : Low CVE : CAN-2003-0386 BID : 7831
. Warning found on port ssh (22/tcp) The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically
safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
. Information found on port ssh (22/tcp)
An ssh server is running on this port
. Information found on port ssh (22/tcp)
Remote SSH version : SSH-1.99-OpenSSH_3.5p1
Remote SSH supported authentication :
publickey,password,keyboard-interactive
. Information found on port ssh (22/tcp)
The remote host is running a SSH server which can allow an attacker to determine the existence of a given login by comparing the time the remote sshd daemon takes to refuse a bad password for a non-existent login compared to the time it takes to refuse a bad password for a valid login.
An attacker may use this flaw to set up a brute force attack against the remote host.
Solution : Disable PAM support if you do not use it, upgrade to the newest version of OpenSSH
Risk factor : Low CVE : CAN-2003-0190 BID : 7342, 7467, 7482, 11781
. Information found on port ssh (22/tcp)
The remote SSH daemon supports the following versions of the SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 81:65:57:fe:e9:47:ef:34:26:af:bc:c4:8e:70:83:d6 SSHv2 host key fingerprint : f9:f9:48:3d:4d:1a:08:34:b0:ff:c3:5c:a2:dc:db:98
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which have the FIN flag set.
Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487
. Information found on port general/tcp
The remote host is running Linux Kernel 2.4
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing
ICMP
timestamp replies (14).
Risk factor : Low CVE : CAN-1999-0524
. Information found on port general/udp
For your information, here is the traceroute to 192.168.0.2 : 192.168.0.1 192.168.0.2 ------------------------------------------------------
This file was generated by the Nessus Security Scanner
nessus against iptables stopped 1
Nessus Scan Report
SUMMARY
- Number of hosts which were alive during the test : 1 - Number of security holes found : 1 - Number of security warnings found : 5 - Number of security notes found : 10
TESTED HOSTS
192.168.0.2 (Security holes found)
DETAILS
+ 192.168.0.2 :
. List of open ports : o ssh (22/tcp) (Security hole found) o sunrpc (111/tcp) (Security notes found) o kdm (1024/tcp) (Security notes found) o sunrpc (111/udp) (Security notes found) o unknown (1024/udp) (Security warnings found) o general/icmp (Security warnings found) o general/tcp (Security warnings found) o general/udp (Security notes found)
. Vulnerability found on port ssh (22/tcp) :
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on
this host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also :
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
. Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (ie: *.mynetwork.com would let a user connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out Risk factor : Low CVE : CAN-2003-0386 BID : 7831
. Warning found on port ssh (22/tcp)
The remote SSH daemon supports connections made using the version 1.33 and/or 1.5 of the SSH protocol.
These protocols are not completely cryptographically safe so they should not be used.
Solution :
If you use OpenSSH, set the option 'Protocol' to '2'
If you use SSH.com's set the option 'Ssh1Compatibility' to 'no'
Risk factor : Low
. Information found on port ssh (22/tcp)
An ssh server is running on this port
. Information found on port ssh (22/tcp)
Remote SSH version : SSH-1.99-OpenSSH_3.5p1
Remote SSH supported authentication :
publickey,password,keyboard-interactive
. Information found on port ssh (22/tcp)
The remote SSH daemon supports the following versions of the SSH protocol :
. 1.33
. 1.5
. 1.99
. 2.0
SSHv1 host key fingerprint : 81:65:57:fe:e9:47:ef:34:26:af:bc:c4:8e:70:83:d6 SSHv2 host key fingerprint : f9:f9:48:3d:4d:1a:08:34:b0:ff:c3:5c:a2:dc:db:98
. Information found on port sunrpc (111/tcp) The RPC portmapper is running on this port.
An attacker may use it to enumerate your list of RPC services. We recommend you filter traffic going to this port.
Risk factor : Low CVE : CAN-1999-0632, CVE-1999-0189 BID : 205
. Information found on port sunrpc (111/tcp)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is
running on this port
. Information found on port kdm (1024/tcp)
RPC program #100024 version 1 'status' is running on this port
. Information found on port sunrpc (111/udp)
RPC program #100000 version 2 'portmapper' (portmap sunrpc rpcbind) is
running on this port
. Warning found on port unknown (1024/udp)
The statd RPC service is running. This service has a long history of security holes, so you should really know what you are doing if you decide to let it run.
*** No security hole regarding this program have been tested, so *** this might be a false positive.
Solution : We suggest that you disable this service. Risk factor : High CVE : CVE-1999-0018, CVE-1999-0019, CVE-1999-0493 BID : 127, 450, 6831, 11785
. Information found on port unknown (1024/udp)
RPC program #100024 version 1 'status' is running on this port
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing
ICMP
timestamp replies (14).
Risk factor : Low CVE : CAN-1999-0524
. Warning found on port general/tcp
The remote host does not discard TCP SYN packets which have the FIN flag set.
Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487
. Information found on port general/tcp
The remote host is running one of these operating systems : Linux Kernel 2.6 Linux Kernel 2.4 . Information found on port general/udp
For your information, here is the traceroute to 192.168.0.2 : 192.168.0.1 192.168.0.2 ------------------------------------------------------ This file was generated by the Nessus Security Scanner
After package and service adjustments
CIS Benchmark Score 2
[root@hard9 cis]# egrep "^Negative" ./cis-most-recent-log Negative: 1.3 sshd_config parameter Protocol is not set. Negative: 1.3 sshd_config parameter Banner is not set. Negative: 1.3 ssh_config must have 'Protocol 2' underneath Host *. Negative: 1.4 sysstat system accounting package is NOT installed. Negative: 1.5 Bastille Linux package is NOT installed. Negative: 3.1 umask not found in first /etc/rcX.d script /etc/rc3.d/S08iptables. Negative: 4.1 sysctl net.ipv4.conf.default.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.secure_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.all.rp_filter=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.icmp_echo_ignore_broadcasts=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.all.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_source_route=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_syncookies=0 and should be '1'. Negative: 4.1 sysctl net.ipv4.conf.default.accept_redirects=1 and should be '0'. Negative: 4.1 sysctl net.ipv4.tcp_max_syn_backlog=256 and should be >= 4096. Negative: 4.2 sysctl net.ipv4.conf.all.send_redirects=1 and should be '0'. Negative: 4.2 sysctl net.ipv4.conf.default.send_redirects=1 and should be '0'. Negative: 4.2 /etc/sysctl.conf should not be world or group readable. Negative: 6.1 /usr is not mounted nodev. Negative: 6.1 /var is not mounted nodev. Negative: 6.1 /home is not mounted nodev. Negative: 6.1 /boot is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nodev. Negative: 6.3 PAM allows users to mount removable media: <floppy>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <cdrom>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <pilot>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <jaz>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <zip>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <ls120>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <camera>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <memstick>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <flash>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <diskonkey>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rem_ide>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rio500>. (/etc/security/console.perms) Negative: 7.4 Couldn't open cron.allow Negative: 7.4 Couldn't open at.allow Negative: 7.5 The permissions on /etc/crontab are not sufficiently restrictive. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty7. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty8. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty9. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty10. Negative: 7.7 /etc/securetty has a non console or tty 1-6 line: tty11. Negative: 7.8 GRUB isn't password-protected. Negative: 7.9 /etc/inittab needs a /sbin/sulogin line for single user mode. Negative: 8.1 bin has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 daemon has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 adm has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 lp has a valid shell of /sbin/g parameter Protocol he /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mail has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 news has a valid shell of /bin/sh. Remember, an empty shell field in /etc/passwd signifies /bin/sh. Negative: 8.1 uucp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 operator has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 games has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 gopher has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 ftp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 nobody has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpm has a valid shell of /bin/bash. Negative: 8.1 vcsa has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 sshd has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpc has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mailnull has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 smmsp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 pcap has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.3 /etc/login.defs value PASS_MAX_DAYS = 99999, but should not exceed 90. Negative: 8.3 /etc/login.defs value PASS_MIN_DAYS = 0, but should not be less than 7. Negative: 8.3 /etc/login.defs value PASS_MIN_LEN = 5, but should be at least 6. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block group-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block group-read/write/execute. Negative: 8.11 Coredumps aren't deactivated. Negative: 8.13 Pam /etc/pam.d/su does not require wheel group for su access. Negative: 9.1 /etc/motd doesn't contain an authorized usage only banner. Negative: 9.1 /etc/issue doesn't contain an authorized usage only banner. Negative: 6.8 Found an unowned file /var/lib/nfs/statd Negative: 6.8 Found an unowned file /var/lib/nfs/statd/state Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm.bak
Services 2
/sbin/chkconfig --list | grep :on | sort
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:of
Processes 2
/bin/ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 3 0.0 0.0 0 0 ? SW 23:56 0:00 [migration/1] root 2 0.0 0.0 0 0 ? SW 23:56 0:00 [migration/0] root 1 2.8 0.3 1364 464 ? S 23:56 0:03 init root 4 0.0 0.0 0 0 ? SW 23:56 0:00 [keventd] root 5 0.0 0.0 0 0 ? SWN 23:56 0:00 [ksoftirqd_CPU0] root 6 0.0 0.0 0 0 ? SWN 23:56 0:00 [ksoftirqd_CPU1] root 11 0.0 0.0 0 0 ? SW 23:56 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 23:56 0:00 [kswapd] root 8 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/DMA] root 9 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/Normal] root 10 0.0 0.0 0 0 ? SW 23:56 0:00 [kscand/HighMem] root 12 0.0 0.0 0 0 ? SW 23:56 0:00 [kupdated] root 13 0.0 0.0 0 0 ? SW 23:56 0:00 [mdrecoveryd] root 19 0.0 0.0 0 0 ? SW 23:56 0:00 [scsi_eh_0] root 22 0.0 0.0 0 0 ? SW 23:56 0:00 [kjournald] root 80 0.0 0.0 0 0 ? SW 23:56 0:00 [khubd] root 154 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 155 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 156 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 157 0.0 0.0 0 0 ? SW 23:57 0:00 [kjournald] root 451 0.1 0.4 1436 576 ? S 23:57 0:00 syslogd -m 0 root 455 0.0 0.3 1372 432 ? S 23:57 0:00 klogd -x root 492 0.6 1.1 3504 1496 ? S 23:57 0:00 /usr/sbin/sshd root 526 0.4 1.5 6748 1988 ? S 23:58 0:00 \_ /usr/sbin/sshd joeuser 528 0.2 1.7 6788 2216 ? S 23:58 0:00 \_ [sshd] joeuser 529 0.3 1.0 4296 1376 pts/0 S 23:58 0:00 \_ -bash root 563 0.1 0.7 4088 920 pts/0 S 23:58 0:00 \_ [su] root 564 0.9 1.0 4296 1376 pts/0 S 23:58 0:00 \_ -bash root 605 0.0 0.5 2616 664 pts/0 R 23:58 0:00 \_ ps faux root 505 0.0 0.4 1420 568 ? S 23:57 0:00 crond root 520 0.0 0.3 1352 400 tty1 S 23:57 0:00 /sbin/mingetty tty1 root 521 0.0 0.3 1352 400 tty2 S 23:57 0:00 /sbin/mingetty tty2 root 522 0.0 0.3 1352 400 tty3 S 23:57 0:00 /sbin/mingetty tty3 root 523 0.0 0.3 1352 400 tty4 S 23:57 0:00 /sbin/mingetty tty4 root 524 0.0 0.3 1352 400 tty5 S 23:57 0:00 /sbin/mingetty tty5 root 525 0.0 0.3 1352 400 tty6 S 23:57 0:00 /sbin/mingetty tty6
Disk Usage 3
/bin/df -h
Filesystem Size Used Avail Use% Mounted on /dev/hda3 981M 176M 755M 19% / /dev/hda2 99M 26M 69M 27% /boot /dev/hda8 3.7G 241M 3.3G 7% /home none 62M 0 62M 0% /dev/shm /dev/hda5 587M 308M 250M 56% /usr /dev/hda6 373M 123M 231M 35% /var
After Reducing Remote Access
CIS Benchmark Score 3
Rating = 7.78 / 10.00
egrep "^Negative" ./cis-most-recent-log
Negative: 1.4 sysstat system accounting package is NOT installed. Negative: 3.1 umask not found in first /etc/rcX.d script /etc/rc3.d/S08iptables. Negative: 6.1 /usr is not mounted nodev. Negative: 6.1 /var is not mounted nodev. Negative: 6.1 /home is not mounted nodev. Negative: 6.1 /boot is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/cdrom is not mounted nodev. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nosuid. Negative: 6.2 Removable filesystem /mnt/floppy is not mounted nodev. Negative: 6.3 PAM allows users to mount removable media: <floppy>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <cdrom>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <pilot>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <jaz>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <zip>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <ls120>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <camera>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <memstick>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <flash>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <diskonkey>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rem_ide>. (/etc/security/console.perms) Negative: 6.3 PAM allows users to mount removable media: <rio500>. (/etc/security/console.perms) Negative: 7.4 Couldn't open cron.allow Negative: 7.4 Couldn't open at.allow Negative: 7.5 The permissions on /etc/crontab are not sufficiently restrictive. Negative: 8.1 bin has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 daemon has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 adm has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 lp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mail has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 news has a valid shell of /bin/sh. Remember, an empty shell field in /etc/passwd signifies /bin/sh. Negative: 8.1 uucp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 operator has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 games has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 gopher has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 ftp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 nobody has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpm has a valid shell of /bin/bash. Negative: 8.1 vcsa has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 sshd has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 rpc has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 mailnull has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 smmsp has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.1 pcap has a valid shell of /sbin/nologin. Remember, the /sbin/nologin shell, when found in /etc/shells, leaves a user potentially able to use FTP. Negative: 8.3 User carlisle should have a minimum password life of at least 7 days. Negative: 8.3 User carlisle should have a maximum password life of between 1 and 90 days. Negative: 8.3 /etc/login.defs value PASS_MAX_DAYS = 99999, but should not exceed 90. Negative: 8.3 /etc/login.defs value PASS_MIN_DAYS = 0, but should not be less than 7. Negative: 8.3 /etc/login.defs value PASS_MIN_LEN = 5, but should be at least 6. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/bashrc is 022 -- it should be stronger to block group-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block world-read/write/execute. Negative: 8.10 Current umask setting in file /etc/csh.cshrc is 002 -- it should be stronger to block group-read/write/execute. Negative: 8.11 Coredumps aren't deactivated. Negative: 8.12 Compilers not removed; The gcc package is installed. Negative: 8.13 Pam /etc/pam.d/su does not require wheel group for su access. Negative: 6.8 Found an unowned file /var/lib/nfs/statd Negative: 6.8 Found an unowned file /var/lib/nfs/statd/state Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm Negative: 6.8 Found an unowned file /var/lib/nfs/statd/sm.bak
Processes 3
/bin/ps faux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.4 0.3 1380 480 ? S 16:55 0:03 init root 2 0.0 0.0 0 0 ? SW 16:55 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 16:55 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 16:55 0:00 [ksoftirqd_CPU0] root 9 0.0 0.0 0 0 ? SW 16:55 0:00 [bdflush] root 5 0.0 0.0 0 0 ? SW 16:55 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 16:55 0:00 [kscand/DMA] root 7 0.0 0.0 0 0 ? SW 16:55 0:00 [kscand/Normal] root 8 0.0 0.0 0 0 ? SW 16:55 0:00 [kscand/HighMem] root 10 0.0 0.0 0 0 ? SW 16:55 0:00 [kupdated] root 11 0.0 0.0 0 0 ? SW 16:55 0:00 [mdrecoveryd] root 17 0.0 0.0 0 0 ? SW 16:55 0:00 [scsi_eh_0] root 20 0.0 0.0 0 0 ? SW 16:55 0:00 [kjournald] root 90 0.0 0.0 0 0 ? SW 16:55 0:00 [khubd] root 164 0.0 0.0 0 0 ? SW 16:55 0:00 [kjournald] root 165 0.0 0.0 0 0 ? SW 16:55 0:00 [kjournald] root 166 0.0 0.0 0 0 ? SW 16:55 0:00 [kjournald] root 167 0.0 0.0 0 0 ? SW 16:55 0:00 [kjournald] root 466 0.0 0.4 1452 608 ? S 16:56 0:00 syslogd -m 0 root 470 0.0 0.3 1384 464 ? S 16:56 0:00 klogd -x root 506 0.0 1.1 3520 1456 ? S 16:56 0:00 /usr/sbin/sshd root 544 0.0 1.5 6772 1992 ? S 16:57 0:00 \_ /usr/sbin/sshd joeuser 546 0.0 1.7 6812 2244 ? S 16:57 0:00 \_ /usr/sbin/sshd joeuser 547 0.0 1.1 4312 1392 pts/0 S 16:57 0:00 \_ -bash root 582 0.0 0.7 4100 952 pts/0 S 16:57 0:00 \_ su - root 583 0.0 1.1 4316 1416 pts/0 S 16:57 0:00 \_ -bash root 696 0.0 0.5 2616 672 pts/0 R 17:07 0:00 \_ /bin/ps faux root 519 0.0 0.4 1432 592 ? S 16:56 0:00 crond root 543 0.0 0.3 1360 384 tty1 S 16:56 0:00 /sbin/mingetty tty1
Open Files 3
/usr/sbin/lsof
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME init 1 root cwd DIR 3,3 4096 2 / init 1 root rtd DIR 3,3 4096 2 / init 1 root txt REG 3,3 27036 16186 /sbin/init init 1 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so init 1 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so init 1 root 10u FIFO 3,3 71396 /dev/initctl keventd 2 root cwd DIR 3,3 4096 2 / keventd 2 root rtd DIR 3,3 4096 2 / keventd 2 root 0u CHR 5,1 63974 /dev/console keventd 2 root 1u CHR 5,1 63974 /dev/console keventd 2 root 2u CHR 5,1 63974 /dev/console kapmd 3 root cwd DIR 3,3 4096 2 / kapmd 3 root rtd DIR 3,3 4096 2 / kapmd 3 root 0u CHR 5,1 63974 /dev/console kapmd 3 root 1u CHR 5,1 63974 /dev/console kapmd 3 root 2u CHR 5,1 63974 /dev/console ksoftirqd 4 root cwd DIR 3,3 4096 2 / ksoftirqd 4 root rtd DIR 3,3 4096 2 / ksoftirqd 4 root 0u CHR 5,1 63974 /dev/console ksoftirqd 4 root 1u CHR 5,1 63974 /dev/console ksoftirqd 4 root 2u CHR 5,1 63974 /dev/console kswapd 5 root cwd DIR 3,3 4096 2 / kswapd 5 root rtd DIR 3,3 4096 2 / kswapd 5 root 0u CHR 5,1 63974 /dev/console kswapd 5 root 1u CHR 5,1 63974 /dev/console kswapd 5 root 2u CHR 5,1 63974 /dev/console kscand/DM 6 root cwd DIR 3,3 4096 2 / kscand/DM 6 root rtd DIR 3,3 4096 2 / kscand/DM 6 root 0u CHR 5,1 63974 /dev/console kscand/DM 6 root 1u CHR 5,1 63974 /dev/console kscand/DM 6 root 2u CHR 5,1 63974 /dev/console kscand/No 7 root cwd DIR 3,3 4096 2 / kscand/No 7 root rtd DIR 3,3 4096 2 / kscand/No 7 root 0u CHR 5,1 63974 /dev/console kscand/No 7 root 1u CHR 5,1 63974 /dev/console kscand/No 7 root 2u CHR 5,1 63974 /dev/console kscand/Hi 8 root cwd DIR 3,3 4096 2 / kscand/Hi 8 root rtd DIR 3,3 4096 2 / kscand/Hi 8 root 0u CHR 5,1 63974 /dev/console kscand/Hi 8 root 1u CHR 5,1 63974 /dev/console kscand/Hi 8 root 2u CHR 5,1 63974 /dev/console bdflush 9 root cwd DIR 3,3 4096 2 / bdflush 9 root rtd DIR 3,3 4096 2 / bdflush 9 root 0u CHR 5,1 63974 /dev/console bdflush 9 root 1u CHR 5,1 63974 /dev/console bdflush 9 root 2u CHR 5,1 63974 /dev/console kupdated 10 root cwd DIR 3,3 4096 2 / kupdated 10 root rtd DIR 3,3 4096 2 / kupdated 10 root 0u CHR 5,1 63974 /dev/console kupdated 10 root 1u CHR 5,1 63974 /dev/console kupdated 10 root 2u CHR 5,1 63974 /dev/console mdrecover 11 root cwd DIR 3,3 4096 2 / mdrecover 11 root rtd DIR 3,3 4096 2 / mdrecover 11 root 0u CHR 5,1 63974 /dev/console mdrecover 11 root 1u CHR 5,1 63974 /dev/console mdrecover 11 root 2u CHR 5,1 63974 /dev/console scsi_eh_0 17 root cwd DIR 3,3 4096 2 / scsi_eh_0 17 root rtd DIR 3,3 4096 2 / scsi_eh_0 17 root 0u CHR 5,1 63974 /dev/console scsi_eh_0 17 root 1u CHR 5,1 63974 /dev/console scsi_eh_0 17 root 2u CHR 5,1 63974 /dev/console kjournald 20 root cwd DIR 3,3 4096 2 / kjournald 20 root rtd DIR 3,3 4096 2 / kjournald 20 root 0u CHR 5,1 63974 /dev/console kjournald 20 root 1u CHR 5,1 63974 /dev/console kjournald 20 root 2u CHR 5,1 63974 /dev/console khubd 90 root cwd DIR 3,3 4096 2 / khubd 90 root rtd DIR 3,3 4096 2 / khubd 90 root 0u CHR 5,1 63974 /dev/console khubd 90 root 1u CHR 5,1 63974 /dev/console khubd 90 root 2u CHR 5,1 63974 /dev/console kjournald 164 root cwd DIR 3,3 4096 2 / kjournald 164 root rtd DIR 3,3 4096 2 / kjournald 164 root 0u CHR 5,1 63974 /dev/console kjournald 164 root 1u CHR 5,1 63974 /dev/console kjournald 164 root 2u CHR 5,1 63974 /dev/console kjournald 165 root cwd DIR 3,3 4096 2 / kjournald 165 root rtd DIR 3,3 4096 2 / kjournald 165 root 0u CHR 5,1 63974 /dev/console kjournald 165 root 1u CHR 5,1 63974 /dev/console kjournald 165 root 2u CHR 5,1 63974 /dev/console kjournald 166 root cwd DIR 3,3 4096 2 / kjournald 166 root rtd DIR 3,3 4096 2 / kjournald 166 root 0u CHR 5,1 63974 /dev/console kjournald 166 root 1u CHR 5,1 63974 /dev/console kjournald 166 root 2u CHR 5,1 63974 /dev/console kjournald 167 root cwd DIR 3,3 4096 2 / kjournald 167 root rtd DIR 3,3 4096 2 / kjournald 167 root 0u CHR 5,1 63974 /dev/console kjournald 167 root 1u CHR 5,1 63974 /dev/console kjournald 167 root 2u CHR 5,1 63974 /dev/console syslogd 466 root cwd DIR 3,3 4096 2 / syslogd 466 root rtd DIR 3,3 4096 2 / syslogd 466 root txt REG 3,3 33861 17350 /sbin/syslogd syslogd 466 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so syslogd 466 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so syslogd 466 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so syslogd 466 root 0u unix 0xc14ef580 1020 /dev/log syslogd 466 root 1w REG 3,6 48865 16067 /var/log/messages syslogd 466 root 2w REG 3,6 1877 16068 /var/log/secure syslogd 466 root 3w REG 3,6 1289 16069 /var/log/maillog syslogd 466 root 4w REG 3,6 10644 16074 /var/log/cron syslogd 466 root 5w REG 3,6 0 16070 /var/log/spooler syslogd 466 root 6w REG 3,6 5973 16075 /var/log/boot.log klogd 470 root cwd DIR 3,3 4096 2 / klogd 470 root rtd DIR 3,3 4096 2 / klogd 470 root txt REG 3,3 27080 17349 /sbin/klogd klogd 470 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so klogd 470 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so klogd 470 root 0r REG 0,2 0 4113 /proc/kmsg klogd 470 root 1u unix 0xc14efa80 1028 socket sshd 506 root cwd DIR 3,3 4096 2 / sshd 506 root rtd DIR 3,3 4096 2 / sshd 506 root txt REG 3,5 278776 32528 /usr/sbin/sshd sshd 506 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so sshd 506 root mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sshd 506 root mem REG 3,3 30448 16172 /lib/libpam.so.0.75 sshd 506 root mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so sshd 506 root mem REG 3,3 76608 16006 /lib/libresolv-2.3.2.so sshd 506 root mem REG 3,3 12716 16012 /lib/libutil-2.3.2.so sshd 506 root mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sshd 506 root mem REG 3,3 91624 15990 /lib/libnsl-2.3.2.so sshd 506 root mem REG 3,3 971676 16016 /lib/libcrypto.so.0.9.7a sshd 506 root mem REG 3,5 385220 62490 /usr/kerberos/lib/libkrb5.so.3.1 sshd 506 root mem REG 3,5 63880 62477 /usr/kerberos/lib/libk5crypto.so.3.0 sshd 506 root mem REG 3,5 5572 62460 /usr/kerberos/lib/libcom_err.so.3.0 sshd 506 root mem REG 3,5 73724 62466 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sshd 506 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so sshd 506 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so sshd 506 root 0u CHR 1,3 65410 /dev/null sshd 506 root 1u CHR 1,3 65410 /dev/null sshd 506 root 2u CHR 1,3 65410 /dev/null sshd 506 root 3u IPv4 1118 TCP *:ssh (LISTEN) crond 519 root cwd DIR 3,6 1024 42169 /var/spool crond 519 root rtd DIR 3,3 4096 2 / crond 519 root txt REG 3,5 23228 34034 /usr/sbin/crond crond 519 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so crond 519 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so crond 519 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so crond 519 root 0u CHR 5,1 63974 /dev/console crond 519 root 1w FIFO 0,5 1134 pipe crond 519 root 2w FIFO 0,5 1135 pipe crond 519 root 3u REG 3,6 4 40167 /var/run/crond.pid crond 519 root 4u unix 0xc15f7080 1138 socket mingetty 543 root cwd DIR 3,3 4096 2 / mingetty 543 root rtd DIR 3,3 4096 2 / mingetty 543 root txt REG 3,3 8608 16048 /sbin/mingetty mingetty 543 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so mingetty 543 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so mingetty 543 root 0u CHR 4,1 70200 /dev/tty1 mingetty 543 root 1u CHR 4,1 70200 /dev/tty1 mingetty 543 root 2u CHR 4,1 70200 /dev/tty1 sshd 544 root cwd DIR 3,3 4096 2 / sshd 544 root rtd DIR 3,3 4096 2 / sshd 544 root txt REG 3,5 278776 32528 /usr/sbin/sshd sshd 544 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so sshd 544 root mem REG 3,3 4856 98074 /lib/security/pam_nologin.so sshd 544 root mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sshd 544 root mem REG 3,3 30448 16172 /lib/libpam.so.0.75 sshd 544 root mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so sshd 544 root mem REG 3,3 76608 16006 /lib/libresolv-2.3.2.so sshd 544 root mem REG 3,3 12716 16012 /lib/libutil-2.3.2.so sshd 544 root mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sshd 544 root mem REG 3,3 91624 15990 /lib/libnsl-2.3.2.so sshd 544 root mem REG 3,3 971676 16016 /lib/libcrypto.so.0.9.7a sshd 544 root mem REG 3,5 385220 62490 /usr/kerberos/lib/libkrb5.so.3.1 sshd 544 root mem REG 3,5 63880 62477 /usr/kerberos/lib/libk5crypto.so.3.0 sshd 544 root mem REG 3,5 5572 62460 /usr/kerberos/lib/libcom_err.so.3.0 sshd 544 root mem REG 3,5 73724 62466 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sshd 544 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so sshd 544 root mem REG 3,3 3404 98059 /lib/security/pam_deny.so sshd 544 root mem REG 3,3 18460 15994 /lib/libnss_dns-2.3.2.so sshd 544 root mem CHR 1,5 71389 /dev/zero sshd 544 root mem REG 3,3 11132 98081 /lib/security/pam_stack.so sshd 544 root mem REG 3,3 12324 98068 /lib/security/pam_limits.so sshd 544 root mem REG 3,3 47584 98057 /lib/security/pam_console.so sshd 544 root mem REG 3,5 150624 31399 /usr/lib/libglib-1.2.so.0.0.10 sshd 544 root mem REG 3,3 11592 98060 /lib/security/pam_env.so sshd 544 root mem REG 3,3 48544 98086 /lib/security/pam_unix.so sshd 544 root mem REG 3,3 23688 15984 /lib/libcrypt-2.3.2.so sshd 544 root mem REG 3,3 12964 98058 /lib/security/pam_cracklib.so sshd 544 root mem REG 3,5 27596 31384 /usr/lib/libcrack.so.2.7 sshd 544 root mem CHR 1,5 71389 /dev/zero sshd 544 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so sshd 544 root 0r CHR 1,3 65410 /dev/null sshd 544 root 1u CHR 1,3 65410 /dev/null sshd 544 root 2u CHR 1,3 65410 /dev/null sshd 544 root 3u CHR 5,2 65548 /dev/ptmx sshd 544 root 4u IPv4 1179 TCP 192.168.5.252:ssh->192.168.5.197:33828 (ESTABLISHED) sshd 544 root 5u unix 0xc15f7580 1193 socket sshd 546 carlisle cwd DIR 3,3 4096 2 / sshd 546 carlisle rtd DIR 3,3 4096 2 / sshd 546 carlisle txt REG 3,5 278776 32528 /usr/sbin/sshd sshd 546 carlisle mem REG 3,3 106400 16129 /lib/ld-2.3.2.so sshd 546 carlisle mem REG 3,3 4856 98074 /lib/security/pam_nologin.so sshd 546 carlisle mem REG 3,5 28452 33949 /usr/lib/libwrap.so.0.7.6 sshd 546 carlisle mem REG 3,3 30448 16172 /lib/libpam.so.0.75 sshd 546 carlisle mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so sshd 546 carlisle mem REG 3,3 76608 16006 /lib/libresolv-2.3.2.so sshd 546 carlisle mem REG 3,3 12716 16012 /lib/libutil-2.3.2.so sshd 546 carlisle mem REG 3,5 52616 31915 /usr/lib/libz.so.1.1.4 sshd 546 carlisle mem REG 3,3 91624 15990 /lib/libnsl-2.3.2.so sshd 546 carlisle mem REG 3,3 971676 16016 /lib/libcrypto.so.0.9.7a sshd 546 carlisle mem REG 3,5 385220 62490 /usr/kerberos/lib/libkrb5.so.3.1 sshd 546 carlisle mem REG 3,5 63880 62477 /usr/kerberos/lib/libk5crypto.so.3.0 sshd 546 carlisle mem REG 3,5 5572 62460 /usr/kerberos/lib/libcom_err.so.3.0 sshd 546 carlisle mem REG 3,5 73724 62466 /usr/kerberos/lib/libgssapi_krb5.so.2.2 sshd 546 carlisle mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so sshd 546 carlisle mem REG 3,3 3404 98059 /lib/security/pam_deny.so sshd 546 carlisle mem REG 3,3 18460 15994 /lib/libnss_dns-2.3.2.so sshd 546 carlisle mem CHR 1,5 71389 /dev/zero sshd 546 carlisle mem REG 3,3 11132 98081 /lib/security/pam_stack.so sshd 546 carlisle mem REG 3,3 12324 98068 /lib/security/pam_limits.so sshd /libk5crypto.so.3.0 REG 3,3 47584 98057 /lib/security/pam_console.so sshd 546 carlisle mem REG 3,5 150624 31399 /usr/lib/libglib-1.2.so.0.0.10 sshd 546 carlisle mem REG 3,3 11592 98060 /lib/security/pam_env.so sshd 546 carlisle mem REG 3,3 48544 98086 /lib/security/pam_unix.so sshd 546 carlisle mem REG 3,3 23688 15984 /lib/libcrypt-2.3.2.so sshd 546 carlisle mem REG 3,3 12964 98058 /lib/security/pam_cracklib.so sshd 546 carlisle mem REG 3,5 27596 31384 /usr/lib/libcrack.so.2.7 sshd 546 carlisle mem CHR 1,5 71389 /dev/zero sshd 546 carlisle mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so sshd 546 carlisle 0u CHR 1,3 65410 /dev/null sshd 546 carlisle 1u CHR 1,3 65410 /dev/null sshd 546 carlisle 2u CHR 1,3 65410 /dev/null sshd 546 carlisle 3u unix 0xc7f32a80 1192 socket sshd 546 carlisle 4u IPv4 1179 TCP 192.168.0.2:ssh->192.168.0.1:33828 (ESTABLISHED) sshd 546 carlisle 5r FIFO 0,5 1194 pipe sshd 546 carlisle 6w FIFO 0,5 1194 pipe sshd 546 carlisle 7u CHR 5,2 65548 /dev/ptmx sshd 546 carlisle 8u CHR 5,2 65548 /dev/ptmx sshd 546 carlisle 9u CHR 5,2 65548 /dev/ptmx bash 547 carlisle cwd DIR 3,8 4096 16192 /home/carlisle bash 547 carlisle rtd DIR 3,3 4096 2 / bash 547 carlisle txt REG 3,3 626028 79854 /bin/bash bash 547 carlisle mem REG 3,3 106400 16129 /lib/ld-2.3.2.so bash 547 carlisle mem REG 3,3 11784 16064 /lib/libtermcap.so.2.0.8 bash 547 carlisle mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so bash 547 carlisle mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so bash 547 carlisle mem REG 3,5 31202800 47761 /usr/lib/locale/locale-archive bash 547 carlisle mem REG 3,5 21040 46781 /usr/lib/gconv/gconv-modules.cache bash 547 carlisle mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so bash 547 carlisle 0u CHR 136,0 2 /dev/pts/0 bash 547 carlisle 1u CHR 136,0 2 /dev/pts/0 bash 547 carlisle 2u CHR 136,0 2 /dev/pts/0 bash 547 carlisle 255u CHR 136,0 2 /dev/pts/0 su 582 root cwd DIR 3,8 4096 16192 /home/carlisle su 582 root rtd DIR 3,3 4096 2 / su 582 root txt REG 3,3 97260 79904 /bin/su su 582 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so su 582 root mem REG 3,3 3936 98078 /lib/security/pam_rootok.so su 582 root mem REG 3,3 30448 16172 /lib/libpam.so.0.75 su 582 root mem REG 3,3 8548 16173 /lib/libpam_misc.so.0.75 su 582 root mem REG 3,3 23688 15984 /lib/libcrypt-2.3.2.so su 582 root mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so su 582 root mem REG 3,5 31202800 47761 /usr/lib/locale/locale-archive su 582 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so su 582 root mem REG 3,3 11132 98081 /lib/security/pam_stack.so su 582 root mem REG 3,3 13860 98094 /lib/security/pam_xauth.so su 582 root mem REG 3,3 3404 98059 /lib/security/pam_deny.so su 582 root mem REG 3,3 11592 98060 /lib/security/pam_env.so su 582 root mem REG 3,3 48544 98086 /lib/security/pam_unix.so su 582 root mem REG 3,3 91624 15990 /lib/libnsl-2.3.2.so su 582 root mem REG 3,3 12964 98058 /lib/security/pam_cracklib.so su 582 root mem REG 3,5 27596 31384 /usr/lib/libcrack.so.2.7 su 582 root mem REG 3,3 12324 98068 /lib/security/pam_limits.so su 582 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so su 582 root 0u CHR 136,0 2 /dev/pts/0 su 582 root 1u CHR 136,0 2 /dev/pts/0 su 582 root 2u CHR 136,0 2 /dev/pts/0 bash 583 root cwd DIR 3,3 4096 15970 /root bash 583 root rtd DIR 3,3 4096 2 / bash 583 root txt REG 3,3 626028 79854 /bin/bash bash 583 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so bash 583 root mem REG 3,3 11784 16064 /lib/libtermcap.so.2.0.8 bash 583 root mem REG 3,3 15900 15986 /lib/libdl-2.3.2.so bash 583 root mem REG 3,3 52492 15996 /lib/libnss_files-2.3.2.so bash 583 root mem REG 3,5 31202800 47761 /usr/lib/locale/locale-archive bash 583 root mem REG 3,5 21040 46781 /usr/lib/gconv/gconv-modules.cache bash 583 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so bash 583 root 0u CHR 136,0 2 /dev/pts/0 bash 583 root 1u CHR 136,0 2 /dev/pts/0 bash 583 root 2u CHR 136,0 2 /dev/pts/0 bash 583 root 255u CHR 136,0 2 /dev/pts/0 lsof 699 root cwd DIR 3,3 4096 15970 /root lsof 699 root rtd DIR 3,3 4096 2 / lsof 699 root txt REG 3,5 95640 32894 /usr/sbin/lsof lsof 699 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so lsof 699 root mem REG 3,5 31202800 47761 /usr/lib/locale/locale-archive lsof 699 root mem REG 3,5 21040 46781 /usr/lib/gconv/gconv-modules.cache lsof 699 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so lsof 699 root 0u CHR 136,0 2 /dev/pts/0 lsof 699 root 1w REG 3,3 0 17372 /root/lsof.2 lsof 699 root 1w REG 3,3 0 17372 /root/lsof.2 lsof 699 root 2u CHR 136,0 2 /dev/pts/0 lsof 699 root 3r DIR 0,2 0 1 /proc lsof 699 root 4r DIR 0,2 0 45809672 /proc/699/fd lsof 699 root 5w FIFO 0,5 3898 pipe lsof 699 root 6r FIFO 0,5 3899 pipe lsof 700 root cwd DIR 3,3 4096 15970 /root lsof 700 root rtd DIR 3,3 4096 2 / lsof 700 root txt REG 3,5 95640 32894 /usr/sbin/lsof lsof 700 root mem REG 3,3 106400 16129 /lib/ld-2.3.2.so lsof 700 root mem REG 3,5 31202800 47761 /usr/lib/locale/locale-archive lsof 700 root mem REG 3,3 1539996 79870 /lib/tls/libc-2.3.2.so lsof 700 root 4r FIFO 0,5 3898 pipe lsof 700 root 7w FIFO 0,5 3899 pipe
Network Connections 3
/bin/netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ssh *:* LISTEN tcp 0 0 192.168.0.2:ssh 192.168.0.1:33828 ESTABLISHED Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 4 [ ] DGRAM 1020 /dev/log unix 3 [ ] STREAM CONNECTED 1193 unix 3 [ ] STREAM CONNECTED 1192 unix 2 [ ] DGRAM 1138 unix 2 [ ] DGRAM 1028
Vulnerability Scan 3
nessus against iptables running 3
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1 - Number of security holes found : 1 - Number of security warnings found : 3 - Number of security notes found : 5
TESTED HOSTS
192.168.0.2 (Security holes found)
DETAILS
+ 192.168.0.2 :
. List of open ports : o ssh (22/tcp) (Security hole found) o general/tcp (Security warnings found) o general/icmp (Security warnings found) o general/udp (Security notes found)
. Vulnerability found on port ssh (22/tcp) :
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on
this
host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing the version number of OpenSSH. Since Nessus solely relied on the banner of the remote SSH server to perform this check, this might be a false positive.
If you are running a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also :
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
. Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (ie: *.mynetwork.com would let a user connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out Risk factor : Low CVE : CAN-2003-0386 BID : 7831
. Information found on port ssh (22/tcp)
An45809672 /proc/699/fd on this port
. Information found on port ssh (22/tcp)
Remote SSH version : SSH-2.0-OpenSSH_3.5p1
Remote SSH supported authentication : publickey,password
Remote SSH banner :
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
. Information found on port ssh (22/tcp)
The remote SSH daemon supports the following versions of the SSH protocol :
. 1.99
. 2.0
SSHv2 host key fingerprint : 9c:e5:d6:72:fd:56:1c:d9:28:b7:58:55:eb:25:12:32 . Warning found on port general/tcp
The remote host does not discard TCP SYN packets which have the FIN flag set.
Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules.
See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113
Solution : Contact your vendor for a patch Risk factor : Medium BID : 7487
. Information found on port general/tcp
The remote host is running Linux Kernel 2.4
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp request. This allows an
attacker to know the date which is set on your machine.
This may help him to defeat all your time based authentication protocols.
Solution : filter out the ICMP timestamp requests (13), and the outgoing
ICMP
timestamp replies (14).
Risk factor : Low CVE : CAN-1999-0524
. Information found on port general/udp
For your information, here is the traceroute to 192.168.0.2 : 192.168.0.1 192.168.0.2
------------------------------------------------------ This file was generated by the Nessus Security Scanner
nessus against iptables stopped 3
Nessus Scan Report
------------------
SUMMARY
- Number of hosts which were alive during the test : 1 - Number of security holes found : 1 - Number of security warnings found : 3 - Number of security notes found : 4
TESTED HOSTS
192.168.0.2 (Security holes found)
DETAILS
+ 192.168.0.2 :
. List of open ports : o ssh (22/tcp) (Security hole found) o general/icmp (Security warnings found) o general/tcp (Security warnings found) o general/udp (Security notes found)
. Vulnerability found on port ssh (22/tcp) :
You are running a version of OpenSSH which is older than 3.7.1
Versions older than 3.7.1 are vulnerable to a flaw in the buffer management
functions which might allow an attacker to execute arbitrary commands on
this host.
An exploit for this issue is rumored to exist.
Note that several distribution patched this hole without changing
the version number of OpenSSH. Since Nessus solely relied on the
banner of the remote SSH server to perform this check, this might
be a false posi45809672 /proc/699/fd
unning a RedHat host, make sure that the command :
rpm -q openssh-server
Returns :
openssh-server-3.1p1-13 (RedHat 7.x)
openssh-server-3.4p1-7 (RedHat 8.0)
openssh-server-3.5p1-11 (RedHat 9)
Solution : Upgrade to OpenSSH 3.7.1
See also :
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2
http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2
Risk factor : High
CVE : CAN-2003-0682, CAN-2003-0693, CAN-2003-0695
BID : 8628
Other references : RHSA:RHSA-2003:279, SuSE:SUSE-SA:2003:039
. Warning found on port ssh (22/tcp)
You are running OpenSSH-portable 3.6.1 or older.
There is a flaw in this version which may allow an attacker to bypass the access controls set by the administrator of this server.
OpenSSH features a mechanism which can restrict the list of hosts a given user can log from by specifying a pattern in the user key file (ie: *.mynetwork.com would let a user connect only from the local network).
However there is a flaw in the way OpenSSH does reverse DNS lookups. If an attacker configures his DNS server to send a numeric IP address when a reverse lookup is performed, he may be able to circumvent this mechanism.
Solution : Upgrade to OpenSSH 3.6.2 when it comes out Risk factor : Low CVE : CAN-2003-0386 BID : 7831
. Information found on port ssh (22/tcp)
An ssh server is running on this port
. Information found on port ssh (22/tcp)
Remote SSH version : SSH-2.0-OpenSSH_3.5p1 Remote SSH supported authentication : publickey,password
Remote SSH banner :
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether individual, corporate or government. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.
Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to your employer, to authorized site, government, and law enforcement personnel, as well as authorized officials of government agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring, recording, copying, auditing, inspection, and disclosure at the discretion of such personnel or officials. Unauthorized or improper use of this system may result in civil and criminal penalties and administrative or disciplinary action, as appropriate. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the conditions stated in this warning.
****************************************************************************
. Information found on port ssh (22/tcp)