############################
#      buck-security       #
############################
Author: Martin Bartenberger Mail : maba4891 @users . sourceforge . net
Additional Author: Anne Mulhern

DISCLAIMER OF WARRANTY
###########################
THERE IS NO WARRANTY FOR THE PROGRAM,
TO THE EXTENT PERMITTED BY APPLICABLE LAW . EXCEPT WHEN OTHERWISE STATED
IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM
“AS IS” WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE
OF THE PROGRAM IS WITH YOU. SHOULD
THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
##########################
For more information please read the LICENSE


# WEBSITE
#############################
You can find more informations on our website

http://www.buck-security.org
##############################


##################
Documentation
##################

     * What is Buck Security
     * Different checks
          + Find worldwriteable files
          + Find worldwriteable directories
          + Find SETUIDS
          + Find SETGIDS
          + Check the default permission for new files/directories
            (umask)
          + Check if the sticky bit is set for /tmp
          + Check for superusers
          + Check for installed attack tools packages
          + Check firewall policies
          + Check if sshd is secured
          + Check for listening services
          + Checksums of system programs
     * Installation
     * Configuration
     * Usage
     * Further information



» What is Buck Security?

   Buck-Security is a security scanner for Debian and Ubuntu Linux. It
   runs a couple of important checks and helps you to harden your Linux
   system. This enables you to quickly overview the security status of
   your Linux system.
   As a system administrator you often get into situations where you
   have to take care of a server, that has been maintained by other
   people before. In this situation it is useful to get an idea of the
   security status of the system immediately. Buck Security was
   designed exactly for this. It runs a few important checks and
   returns the results. It was desigend to be extremly easy to install,
   use and configure.

   ATTENTION: Buck Security should be just a small tool in your
   holistic security concept. Server security is a complex PROCESS
   which can't be guaranteed by a simple tool.
 

» Different checks

   The different security-checks are the core of Buck Security. In
   every security book for linux you'll find a couple of small tricks
   to check the security status of your system (f.e. find worldwritable
   files/directories, find SUIDS, ...). Buck Security aims to unite all
   these small but important and useful checks in one easy-to-use
   program.
   The following checks are implemented at the moment. In the future
   more checks will be added.


› Find worldwriteable files

   As the name indicates the content of worldwriteable files can be
   changed by ANY user on your system. This is, of course, a major
   security risk. Worldwriteable files indicate a bad user management.
   They can most of the time be avoided by creating a group which
   includes all users who need write access for the file, and change
   the group of the file to this group.

   buck-security searches such worldwriteable files and gives you a
   warning if any are found. Normally none worldwriteable files should
   be found, so be very careful to add some to the whitelist.


› Find worldwriteable directories

   Like worldwriteable files, worldwriteable DIRECTORIES are a major
   security risk too. For any user on the system can delete the files
   in this directory, even if he has no write permission to it! So
   worldwriteable directories should be avoided were possible. Were
   worldwide write access to a directory is necessary, for example for
   /tmp, the sticky bit should be set, so that users can not delete or
   alter files of other users in this directory

   buck-security checks for worldwriteable directories. Typically /tmp
   and its subdirectory are worldwriteable but have the sticky bit is
   set. So buck-security also checks if the sticky bit is set for /tmp.
   See [28]Check if the sticky bit is set for /tmp for more
   information.


› Find SETUIDS

   The potential problem about SETUID and SGID programs is explained
   very well in [30]Network Security Hacks by Andrew Lockart:

   "One potential way for a user to escalate her privileges on a system
   is to exploit a vulnerability in a SUID or SGID program. SUID and
   SGID are legitimately used when programs need special permissions
   above and beyond those that are available to the user who is running
   them. One such program is passwd. Simultaneously allwoing a user to
   change her password while not allowing any user to modify the system
   password file means that the passwd program must run with root
   privileges. Thus, the program has its SUID set, which causes it to
   be executed with the privileges of the program files owner.
   Similarly, when the SGID bit is set, the program is executed with
   the privileges of the files group owner.

   Running ls -l on a binary that has its SUID bit set should look like
   this:

   -r-s--x--x 1 root root 16336 Feb 13 2003 /usr/bin/passwd

   Notice that instead of an execute bit (x) for the owner bits, it has
   an s. This signifies an SUID file.

   Unfortunately, a poorly written SUID or SGID binary can be used to
   quickly and easily escalate a user's privileges. Also, an attacker
   who has already gained root access might hide SUID binaries
   throughout your system in order to leave a backdoor for future
   access. This leads us to the need for scanning systems for SUID and
   SGID binaries."

   buck-security therefor checks for SUID and SGID files and has a
   whitelist of common ones included. If you installed a lot of
   packages you'll probably get some warnings here. Check if this
   programs need the SUID or SGID bit and add them to the whitelist if
   so.
   For more information please check out [31]EXPLAIN: What is "Setuid"
   or "SUID"? 

› Find SETGIDS

   Please see the explanation for "Find SETUIDS" for further
   information.


› Check the default permission for new files/directories (umask)

   The umask (User's file creation mask) determines the permissions for
   newly created files. The permissions which are set in the umask are
   NOT set for new files, which means they are substracted from 777.
   You can check your umask by running "umask". The default umask on
   Debian Linux "Lenny" is 0022. This means everyone can read your
   files, but no one can write to them.The most secure umask is 0077
   which means, no one on the system can read or write your files.

   buck-security uses this as default umask, it is included in the
   whitelist. If you want to use the more secure 0077 instead of 0022
   please include it in the whitelist for the umask check and remove
   the 0022.

   For more information please see What is umask and how to setup
   default umask under Linux? and umask on Wikipedia.


› Check if the sticky bit is set for /tmp

   "The most common use of the sticky bit today is on directories,
   where, when set, items inside the directory can be renamed or
   deleted only by the item's owner, the directory's owner, or the
   superuser; without the sticky bit set, any user with write and
   execute permissions for the directory can rename or delete contained
   files, regardless of owner. Typically this is set on the /tmp
   directory to prevent ordinary users from deleting or moving other
   users' files."
   http://en.wikipedia.org/wiki/Sticky_bit#Usage

   buck-security checks the permissions for /tmp and has the typical
   permission set included as whitelist. For more information about
   worldwriteable directories see Find worldwriteable directories.


› Check for superusers

   Superusers are the administrators of your linux system. They have
   full control over your machine, their User Id is 0.

   buck-security therefor searchs for users with this id in
   /etc/passwd. Normally only the user root has this id, be careful if
   you find other superuser accounts on your system.

› Check for installed attack tools packages

   There are a lot of security tools which help administrators to keep
   their servers secure. These tools do the same as an attacker will
   do, they scan for open ports, checking for vulnerabilities or sniff
   the network traffic. If such tools are installed on your server they
   may become a potential security risk since attackers which have
   control over your server can use them to attack other servers.

   buck-security therefor checks if the packages of such tools are
   installed on your machine.
   By now we are looking for these packages:
   doscan,dsniff,ethereal,ettercap,harden-remoteaudit, inguma, nmap,
   nessusd, nessus, nikto, paketto, pnscan, hping2, hping3, john,
   scanssh, python-scapy, tshark
   You can find more informations about these packages at
   http://packages.debian.org
   WARNING: Of course this isn't a check that looks for rootkits or
   tools that are installed without using the debian package manager
   (dpkg). It's just a check toto see if some dangerous packages are
   installed.


› Check firewall policies

   If you build up a firewall you should follow a whitelist approach
   rather than blacklisting. This means by default you should deny any
   packages to bypass your firewall, except the ones you allow
   explicitly. With Linux iptables you can do this by setting the
   POLICIES to DROP all packages by default.

   buck-security checks the default firewall policies of iptables and
   warns you if they are set to ACCEPT (which means all packages can
   bypass by default unless you reject them in a rule).
   So if buck-security gives you a warning about your firewall policies
   this probably means you don't have a firewall at all on your system
   or one which is using a (less secure) blacklisting approach.
   If your system is protected by another firewall you can ignore this
   warning.

   If you want to learn more about iptables check out [44]this
   tutorial.


› Check if sshd is secured

   The SSH-Daemon is used for secure remote administration of your
   system and is running on nearly every Linux servers. Therefor
   buck-security takes a closer look at it's configuration file
   (/etc/ssh/sshd_config) an checks if sshd is configured in a secure
   way.

   buck-security checks the following configuration options:

PermitEmptyPasswords

   When password authentication is allowed, it specifies whether the
   server allows login to accounts with empty password strings. The
   default is ``no''.
   This should be set to no

PermitRootLogin

   Specifies whether root can log in using ssh. If this option is set
   to ``no'', root is not allowed to log in.
   This should be set to no

Port

   Specifies the port number that sshd listens on. The default is 22.
   To make brute force attacks to you sshd more difficult you should
   set this to anything but 22.

Protocol

   Specifies the protocol versions sshd supports. The possible values
   are '1' and '2'. The default is '2'
   Since the protocol version 1 is considered insecure this should be
   set to 2.

TCPKeepAlive

   Specifies whether the system should send TCP keepalive messages to
   the other side. If TCP keepalives are not sent, sessions may hang
   indefinitely on the server, leaving ``ghost'' users and consuming
   server resources. The default is 'yes'.
   This should be set to yes.

UsePrivilegeSeparation

   Specifies whether sshd separates privileges by creating an
   unprivileged child process to deal with incoming network traffic.
   After successful authentication, another process will be created
   that has the privilege of the authenticated user. The goal of
   privilege separation is to prevent privilege escalation by
   containing any corruption within the unprivileged processes. The
   default is 'yes'.
   This should be set to yes

   If you want to learn more about the configuration of sshd you should
   check out the sshd_config manpage (I took most of the
   information above from it).


› Check for listening services

   As Andrew Lockhart puts it in his book "Network Security Hacks":
   "One of the first things you should do after a fresh operating
   system install is see what services are running and remove any
   unneeded services from the system startup process". This is not only
   true for fresh installs but for all systems and is therefor one of
   the essential checks of buck-security.

   What this check does is looking for listening services on your
   system, the output format is this:
   port:program:listen_mode
     * port is the port of the service
     * program is the program name that is listening on this port if
       available. If we can't find out the name of the program you'll
       see UNKNOWN in this column
     * listen_mode tells you how the service is listening, there are
       two possible states:
          + LISTEN_LOCAL means that the service is only listening for
            connections from your system itself, not from the Internet
            or network.
          + LISTEN_ALL means that the service is listening on all
            network interfaces, not only for local connections. Of
            course this means the service is available to others (for
            example a webserver, or ssh) if it's not blocked by a
            firewall.

   As always you can use the whitelist to prevent false warnings. See
   the [49]configuration section for more details.

   If you want to find out more type netstat -luntp in your shell (in
   fact that's also the way buck-security checks for listening
   services, also check out the manpage of netstat) or see Chapter
   1, Hack #8 in Andrew Lockharts "Network Security Hacks". Also
   you can do a portscan of your system from the outside to see what
   ports are accessible (use nmap for example).


› Checksums of system programs

   If you want to check the security status of your system, see which
   programs are running, which users are logged in or which ports are
   opened then you have to rely on system programs like ps, netstat or
   top. And buck-security uses these programs too. Therefor it's
   important to check the integrity of these programs by generating
   checksums of them and see if these checksums change.

   When runned with the --make-checksum option buck-security by default
   creates checksums of the programs in /bin, /sbin, /usr/bin and
   /usr/sbin. To protect this checksum list it is encrypted with
   [54]GPG, therefor you are asked for a password. You'll be asked for
   this password everytime when buck-security is executed and the
   checksum check is enabled.

   If you control the integrity of your system already with other
   programs (like tripwire) you can disable the checksum check.


» Installation

   buck-security comes as zip-file. Just download the latest
   version and unzip the the zip-file. To start the checks run the buck
   program (type ./buck while in the buck-security directory).
   Or run buck --help to get information about the options.

» Configuration

› Configure which check to run

   You can configure Buck Security by editing the file conf/buck.conf
   Here you can enable and disable the different checks by deleting
   them from the list. By default all checks are enabled.


› Configure exceptions for checks

   Some warnings that Buck Security will give you at the first run will
   probably be false alarms. buck-security include whitelists for all
   checks that are suited for a newly installed Debian Linux "Lenny".
   If you are sure that the warnings you get are harmless, you can add
   the items to the whitelist of the check which gave you the warning.
   For example if you are sure which files or directories should be
   allowed to be worldwriteable, or have the SETUID or SETGID set, than
   you can add these to the whitelist-files. Just copy and paste the
   list of files/directories that Buck Security outputs to the proper
   exception file at conf/whitelists. For example copy a list of
   programs which are allowed to have the SETUID set to
   conf/whitelists/suids_whitelist.conf

   ATTENTION: Please use the whitelists carefully. They may be a
   possible security risk.


» Usage

   By default all checks are enabled. For disabling checks see the
   section CONFIGURATION. Buck Security is started by executing the
   buck program (type ./buck while in the buck-security directory).

   The different checks may take a while. After they have been finished
   you will get informations about potentially security risks. You have
   to decide for yourself how to handle these informations. For how to
   get further information and help please read the section FURTHER
   INFORMATION.

› Command line arguments

   To control the output and enable logging of the results, the
   following command line arguments are available:

   ./buck-security --help
   show help

   ./buck-security --log
   logs output in logs-directory

   ./buck-security --output=1
   short output, show result only

   ./buck-security --output=2
   (default) default output, show details (which files/dirs where found
   f.e.)

   ./buck-security --make-checksums
   create checksums for the most important system programs to recheck
   them later (if the checksums check is enabled)



» Further information

   If you need help please visit our contact site.
   http://www.buck-security.org/contact.html