February 19, 1991                           - 6 -UNIX  security  holes.   The  COPS  system uses a variety ofthese problems to see if there are any  cracks  in  a  givenUNIX security wall.  These methods correspond to some of theproblems discussed above;  specifically  to  administrators,system  programmers, and computer operators; authentication;ignorance;  unauthorized  permissions  or  privileges;   andfinally  crackers/hackers/evil twin brothers (numbers 1,3,5,and 6.)  It is very difficult, almost a  practical  impossi-bility  to  give software assistance to problems in physicalsecurity, and finally bugs or features that are present in agiven  UNIX  system  are  possible  to  detect,  but are notcovered in this system (yet).  The design of most of the theprograms  were  at  least described if not outlined from thefollowing sources:Aho, Kernighan, and Weinberger 88Baldwin 87Fiedler and Hunter 86Grampp and Morris 84Wood and Kochran 86     Of course with all of the problems listed below,  look-ing  at  the  actual  source  code  of  the  program is veryinstructive -- each numbered section lists the correspondingprogram that is used to perform the check:     1)  COPS Checks "vital" system directories  to  see  ifthey are world-writable.  Directories listed as critical arein a configuration file and are initially:/ /etc /usr/bin /Mail /usr/spool/usr/adm /usr/etc /usr/lib/usr/bin /usr/etc /usr/spool/mail/usr/spool/uucp /usr/spool/at     The method COPS uses to detect problems -- read througha  configuration  file  (dir.chklst)  containing  all of thepotential danger  spots,  and  then  simply  comparing  eachdirectory  modes with a bit mask to see if it is world writ-able.  The program that performs this task is dir.chk     2)  Check "vital" system  files  to  see  if  they  areworld-writable.   Files  listed  as critical are in a confi-guration file (file.chklst) and are initially:                     February 19, 1991                           - 7 -/.*/etc/*/bin/*/usr/etc/yp*/usr/lib/crontab /usr/lib/aliases /usr/lib/sendmailThe wildcards are used like in UNIX, so these would  include(some of the more important files):/.login /.profile /.cshrc /.crontab /.rhost/etc/passwd /etc/group /etc/inittab /etc/rc/etc/rc.local /etc/rc.boot /etc/hosts.equiv /etc/profile/etc/syslog.conf /etc/exportAs well as the executable command files (among others):sh,csh, and ls.     Method -- again read through a configuration file list-ing  all  of the files to be checked, comparing each in turnwith a write mask.  The program that performs this  task  isfile.chk     3)  Check "vital" system  files  to  see  if  they  areworld-readable,  plus  check  for  a NFS file system with norestriction.  These critical files are:/dev/kmem /dev/memAll file systems found in /etc/fstabPlus a small number of user selectable  files  --  initiallyset to include /.netrc, /usr/adm/sulog, and /etc/btmp.Method -- checking each in turn  against  a  read  mask  fortheir  read  status.   The  file  system names are read from/etc/fstab, the selectable files are  kept  in  a  variable.The program that performs this task is dev.chk     4)  Check all files in system for SUID status,  notify-ing the COPS user of any changes in SUID status.Method -- Use the "find" command on the root directory (thismust  be  done by root to avoid missing any files unreadablebut still dangerous.) The previous run will  create  a  file                     February 19, 1991                           - 8 -that can be checked against the current run to keep track ofchanges in SUID status and any new SUID files.  The  programthat performs this task is suid.chk and was written by Pren-tiss Riddle.     5)  Check the /etc/passwd file (and  the  yellow  pagespassword   database,  if  applicable)  for  null  passwords,improper #  of  fields,  non-unique  user-id's,  non-numericgroup id's, blank lines, and non-alphanumeric user-id's.Method -- Read through password file, flag  any  differenceswith  normal password file, as documented in "man 5 passwd".Fortunately, the syntax of the password file  is  relativelysimple  and  rigid.  The  program that performs this task ispasswd.chk     6)  Check the /etc/group file  (and  the  yellow  pagesdatabase, if applicable) for groups with passwords, improper# of fields, duplicate users in  groups,  blank  lines,  andnon-unique group-id's.Method -- Read through group file, flag any differences withnormal  group  file  as documented in "man 5 group".  Again,the syntax of this file is fairly simple.  The program  thatperforms this task is group.chk     7)  Check passwords of users on system.Method -- using  the  stock  "crypt"  command,  compare  theencrypted password found in the /etc/passwd file against thefollowing (encrypted) guesses:The login id (uid), information in the gecos field, and  allsingle letter passwords.The program that performs this  task  is  pass.chk  and  waswritten  by  Craig  Leres  and  was modified by Seth Alford,Roger Southwick, Steve Dum, and Rick Lindsley.     8)  Check the root path,  umask,  and  if  root  is  in/etc/ftpuser.Method -- look inside the /.profile  and  /.cshrc  files  toensure  that  all  of  the  directories listed are not worldwritable, that "." isn't anywhere in the path, and that  theumask  is  not set to create world writable files.  The pro-gram that performs this task is root.chk     9)  Examine the commands in  /etc/rc*  to  ensure  thatnone of the files or paths used are world-writable.Method -- grep through the files  and  examine  any  stringsthat  start  with  "/"  for  writability.   The program that                     February 19, 1991                           - 9 -performs this task is rc.chk     10)  Examine the commands in /usr/lib/crontab to ensurethat none of the files or paths used are world-writable.Method -- grep through the  crontab  file  and  examine  anystrings  after field five (first five are not files, but howcrontab is to be run) that start with "/"  for  writability.The  program  that performs this task is cron.chk 11)  Checkall of the user home directories  to  ensure  they  are  notworld writable.Method -- get all of the home directories using  the  systemcall  getpwent()  and  then  for every home directory found,check the write permissions of of the home directory againsta bit mask.  The program that performs this task is home.chkand it was written by John Owens.     12) Check important user files in  user's  home  direc-tories  to  ensure  they  are not world writable.  The fileschecked (all in the individual users'  home  directory,  allwith the prefix "."):rhost profile login cshrc kshrc tcshr crhostnetrc forward dbxinit distfile exrc emacsrcMethod -- using the same system call as #10, determine  userhome  directory.   Then  simply check all of the above filesagainst a bit mask.  The program that performs this task  isuser.chk     13) Given a goal to compromise, such as user root,  anda list of user and group id's that can be used in an attemptto achieve the goal, this security tool will search  throughthe  system until it verifies that the goal is compromisibleor not.  The program that performs this tricky task is  partof the U-Kuang (rhymes with "twang") system.  Robert Baldwinwas kind enough to allow me to include this security checker(a fine security machine in it's own right) within this dis-tribution.  For more information on this  fascinating  secu-rity  checker,  see  kuang.man.ms  and [Baldwin 87].  I haverewritten it in Bourne shell (it was in C-Shell) for furtherportability.     None of programs listed above certain cover all of  thepossible  areas  that can harm a system, but if run togetherthey can aid an overworked administrator to locate  some  ofthe  potential  trouble spots.  The COPS system is not meantto be a panacea against  all  UNIX  security  woes,  but  anadministrator who examines the security toolbox programs andthis research paper might reduce the danger  of  their  UNIXsystem being compromised -- and that's all any security toolcan ever hope to do.  The COPS system could never replace  a                     February 19, 1991                           - 10 -vigilant  administration  staffed with knowledgeable people,but hopefully, as administrators look into the package, morecomprehensive  programs  will come into being, covering moreof the problems that will continue as the latest versions ofUNIX continue to grow.     Design Notes:     The programs that are described here were  designed  toaddress the problems discussed above, but still be usable onas many UNIX "flavors" as possible.   Speed  was  sacrificedfor  simplicity/portability;  hopefully  the tools here willeither be replaced or modified, as by no means are they  thefinal  word  or solution to _any_ of these problems; indeed,it is my hope that  after  other  programmers/administratorssee  this  report,  they will create newer, better, and moregeneral tools that can be re-distributed periodically.  Noneof the programs need to be run by root to be effective, withthe exception of the SUID checker (to ensure that all  filesare  checked.) Some of the tools were written by myself, theothers were written by other programmers on the network  and(with their permission) presented here.  All of the programsin this report are in the public domain, with the  exceptionof Robert Baldwin's U-Kuang system; they all exist solely tobe used and modified to fit your needs.   If  they  are  re-distributed,  please keep them in their original form unlessit is clearly stated that they were modified.  Any  improve-ments (that might not be too hard :-), suggestions, or othersecurity programs that you would like  to  see  get  furtherdistribution can be sent to:     df@medusa.cs.purdue.edu     (That's me)     or     spaf@uther.cs.purdue.edu     (Dr. Eugene Spafford)     Note that the COPS system is still in an infancy  stage--  although it has been tested on a variety of computers atPurdue, it has not undergone any serious trials.