/tmp/.NeWS-unix; you may have to set these manually or through            the system startup files.------------------------------------------------------------------------------Appendix A:  Other AUSCERT information sourcesA.1     AUSCERT advisories            Past AUSCERT advisories can be retrieved via anonymous ftp from                ftp://ftp.auscert.org.au/pub/auscert/advisory/* A.2	AUSCERT's World Wide Web server            AUSCERT maintains a World Wide Web server.  Its URL is                http://www.auscert.org.au------------------------------------------------------------------------------Appendix B:   Useful security tools        There are many good tools available for checking your system.        The list below is not a complete list, and you should NOT rely on 	these to do ALL of your work for you.  They are intended to be only 	a guide.  It is envisaged that you may write some site specific tools	to supplement these.B.1	Crack	    Crack is a fast password cracking program designed to assist site 	    administrators in ensuring that users use effective passwords.            Available via anonymous ftp from:  	        ftp://ftp.auscert.org.au/pub/cert/tools/crack/*B.2	COPS and Tiger            These packages identify common security and configuration            problems.  They also check for common signs of intrusion.             Though there is some overlap between these two packages, they            are different enough that it may be useful to run both. Both 	    are available via anonymous ftp.	    COPS:		ftp://ftp.auscert.org.au/pub/cert/tools/cops/1.04	    tiger:		ftp://ftp.auscert.org.au/pub/mirrors/net.tamu.edu/tiger*B.3	npasswd and passwd+            These programs are proactive password checkers.  They run a	    series of checks on passwords at the time users set them and	    refuse password that fail the tests.  Note that these programs 	    are not designed to work with shadow password systems.  Both are	    available via anonymous ftp.            npasswd:                ftp://ftp.auscert.org.au/pub/mirrors/ftp.cc.utexas.edu			/npasswd/npasswd.tar.Z   	    passwd+:                 ftp://ftp.auscert.org.au/pub/mirrors/dartmouth.edu			/security/passwd+.tar.ZB.4	tcp_wrapper            This software gives logging and access control to most network            services.  It is available via anonymous ftp from:                ftp://ftp.auscert.org.au/pub/mirrors/ftp.win.tue.nl			/tcp_wrappers_7.2.tar.gz	B.5	Tripwire            This package maintains a checksum database of important system            files.  It can serve as an early intrusion detection system. It            is available via anonymous ftp from: 	        ftp://ftp.auscert.org.au/pub/coast/COAST/Tripwire/*B.6	cpm 	    cpm checks to see if your network interfaces are running in 	    promiscuous mode.  If you do not normally run in this state then 	    it may be an indication that an intruder is running a network 	    sniffer on your system.  This program was designed to run on 	    SunOS 4.1.x and may also work on many BSD systems.  It is available 	    via anonymous ftp from:	       ftp://ftp.auscert.edu.au/pub/cert/tools/cpm/*B.7	Vendor supplied C2 security packages            Consult manuals supplied by your vendor as to installing C2            security. The SunOS manual is "SunOS System & Network            Administration Guide".B.8	Vendor supplied security auditing packages            Sun provides an additional security package called SUNshield.             Please direct enquiries about similar products to your vendor.B.9	smrsh 	    The smrsh(8) program is intended as a replacement for /bin/sh            in the program mailer definition of sendmail(8).  smrsh is a            restricted shell utility that provides the ability to specify,            through a configuration, an explicit list of executable            programs.  When used in conjunction with sendmail, smrsh            effectively limits sendmail's scope of program execution to            only those programs specified in smrsh's configuration.	               It is available via anonymous ftp from:	       ftp://ftp.auscert.org.au/pub/cert/tools/smrshB.10	md5	    md5 is a message digest algorithm.  An implementation of this is 	    available via anonymous ftp from:	       ftp://ftp.auscert.org.au/pub/cert/tools/md5/*	       ftp://ftp.auscert.org.au/pub/cert/tools/md5check/*------------------------------------------------------------------------------Appendix C:	ReferencesC.1	Practical UNIX Security	Simson Garfinkel and Gene Spafford	(C) 1991 O'Reilly & Associates, Inc.C.2	UNIX Systems Security	Patrick Wood and Stephen Kochan	(C) 1986 Hayden BooksC.3	UNIX system security: A Guide for Users and System Administrators	David A. Curry	Addison-Wesley Professional Computing Series	May 1992.C.4	X Windows System Administrators Guide	Chapter 4	(C) 1992 O'Reilly & Associates, Inc.C.5	Information Security Handbook	William Caelli, Dennis Longley and Michael Shain	(C) 1991 MacMillan Publishers Ltd.C.6     Firewalls and Internet Security	William R. Cheswick & Steven M. Bellovin	(C) 1994 AT&T Bell Laboratories	Addison-Wesley Publishing CompanyC.7     CERT advisories can be found via anonymous FTP from	   ftp://ftp.auscert.org.au/pub/cert/cert_advisories/*C.8     UNIX System Administration Handbook        Nemeth, Evi, Garth Snyder and Scott Seebas	Prentice-Hall, Englewood Cliffs(NJ), 1989C.9     Essential System Administration	Aeleen Frisch        O'Reilly & Associates, Inc.-----------------------------------------------------------------------------Appendix D: Abbreviated Checklist	It is intended that this short version of the checklist be used in	conjunction with the full checklist as a progress guide (ie. check	the sections off as you go so that you remember what you have done	so far).  1.0   Patches [ ]    Installed latest patches?2.0   Network security [ ]    Filtering [ ]    "r" commands [ ]    /etc/hosts.equiv [ ]    $HOME/.rhosts [ ]    NFS [ ]    /etc/hosts.lpd [ ]    /etc/ttytab [ ]    /etc/inetd.conf [ ]    Trivial ftp (tftp)  [ ]    /etc/services    [ ]    tcp_wrapper (also known as log_tcp) [ ]    /etc/aliases [ ]    /etc/sendmail.cf         [ ]    majordomo [ ]    fingerd [ ]    UUCP	3.0   ftpd and Anonymous ftp [ ]    Versions [ ]    SITE EXEC [ ]    Configuration of your ftp server [ ]    Permissions [ ]    Writable directories [ ]    Disk mounting4.0   Password and account security [ ]    Policy [ ]    Proactive Checking [ ]    Root Password [ ]    NIS and /etc/passwd entries [ ]    Password shadowing and C2 security [ ]    Administration [ ]    Special accounts [ ]    Root account5.0   File system security [ ]    General [ ]    /etc/rc.local [ ]  	/usr/lib/expreserve [ ]    External file systems/devices [ ]    File Permissions [ ]    Files run by root [ ]    Bin ownership [ ]    Tiger/COPS6.0   SUNOS specific security [ ]    IP forwarding [ ]  	Framebuffers  /dev/fb 	 [ ]    /usr/kvm/sys/* [ ]    /dev/nit (Network Interface Tap)7.0   IRIX specific security [ ]    /usr/lib/vadmin/serial_ports8.0   X windows security [ ]	Problems with xdm [ ]	X security - General-----------------------------------------------------------------------------Appendix E: Shell ScriptsE.1   Script for printing the umask value for each user.#!/bin/shPATH=/bin:/usr/bin:/usr/etc:/usr/ucbHOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u`FILES=".cshrc .login .profile"for dir in $HOMEDIRSdo	for file in $FILES	do		grep -s umask /dev/null $dir/$file	donedone-----------------------------------------------------------------------------The AUSCERT team have made every effort to ensure that the information contained in this checklist is accurate.  However, the decision to use the tools and techniques described is the responsiblitiy of each user or organization. The appropriateness of each item for an orgaization or individual system should be considered before application.  AUSCERT takes no responsibility for the consequences of applying the contents of this document.  Please feel free to copy and distribute this document provided you acknowledgeAUSCERT copyright.(C) Copyright 1995-----------------------------------------------------------------------------If you believe that your system has been compromised, contact AUSCERT or yourrepresentative in FIRST (Forum of Incident Response and Security Teams).Internet Email: AUSCERT@AUSCERT.org.auAUSCERT Hotline:      (07) 365 4417      Facsimile:      (07) 365 4477          AUSCERT personnel answer during business hours (AEST - GMT+10:00),	  on call after hours for emergencies.		  Australian Computer Emergency Response Teamc/- Prentice CentreThe University of QueenslandBrisbane, AustraliaQld.  4072.