Documents for linux

Code [lin001w]

A program installed in your system has probably been not installed by a package of your Linux packaging system. If this binary has been installed by the administrator note that /usr/local/ is the place for this files.












Code [lin002i]

Installed processes listening on Internet interfaces must be tightly controlled since they are the "open doors" to the outside.












Code [lin003w]

Processes that have not been run by a valid user are listening on interfaces open to external networks. This processes might have been run by a valid user and changed uids or might be rogue processes.

The list of valid users is defined in Tiger's configuration file (tigerrc) variable 'Tiger_Listening_ValidUsers'. An incorrect definition there might also lead to invalid reports and false positives.

To fix this issue, review the value of the configuration variable and the user the process is associated to. Confirm if the process is running and is necessary.

If the process is run by a system user, in order to prevent this process from working, it is often necessary necessary to reconfigure the system to prevent it from starting when the system boots. If this process is run by a normal user you might need to review the processes started by login scripts, desktop confiuration or periodic program execution.

Notice that sometimes services open sporadic UDP listeners to receive DNS requests, if you receive reports on open UDP services that later on are closed this might be a false positive.

You can fix these false positives by adjusting the tiger.ignore configuration file.












Code [lin004i]

Netstat can be used instead of lsof in order to provide information on listening processes, however it will provide less info since it cannot determine the process (or PID) associated with the open socket or the user that runs it.












Code [lin005f]

In Debian systems, checksums are stored in /var/lib/dpkg/info/ if the md5sum of a file differs from the checksum of installed packages it might be due to changes made by the system administrator (for example, files in /etc) by everyday use of by a possible intruder (who might have placed a trojan instead of the checked file) Be forewarned, an attacker might have modified this info files (they are not protected against this)












Code [lin006w]

A file installed by a package no longer exists in the system and cannot be checked for. An administrator should not remove files from the system, they should be removed uninstalling the packages that provided them. This is an unusual behavior.












Code [lin007w]

In the default configuration of many GNU/Linux distributions users can reboot the machine pressing Ctrl+Alt+Delete while in console mode. This can be considered a security risk if an attacker can easily taken down the server from console. You can restrict this feature through the use of the /etc/shutdown.allow file. In that file is defined, only if a user listed in the file (or root) are logged in will the system shutdown be initiated.












Code [lin008e]

The /proc pseudo-filesystem is needed to check the network configuration settings in the kernel and determine insecure setups. /proc is available when the kernel is compiled with the CONFIG_PROC_FS=Y option (if you want to modify them you also need to add the CONFIG_SYSCTL=Y option). You also need to have it mounted, if it's not try: 'mount -t proc proc /proc'. This is usually done in most distributions per default.












Code [lin009i]

The kernel will answer (per configuration) to ICMP echo requests in any interface. You might want to configure it to not answer to this requests and thus make it more "invisible". Do it with: # sysctl -w net.ipv4.icmp_echo_ignore_all=1 Note, however, that this violates RFCs.












Code [lin010f]

The system will answer to ICMP broadcast echo messages. This is considered a problem since ICMP broadcasts can cause network denial of service as the same time as giving away the location of the hosts. To remove this do: # sysctl -w net.ipv4.icmp_echo_ignore_broadcasts = 1












Code [lin011f]

The system is configured to answer to bad formatted ICMP messages. This behavior is not recommended, please unconfigure it with: # sysctl -w net.ipv4.icmp_ignore_bogus_error_responses = 1












Code [lin012w]

The system is configured to accept ICMP redirects, this might or might not be necessary in your network topology. If you have multiple routers to which connect through to outside locations it might be necessary, otherwise remove it since an attacker could send bogus ICMP redirection messages to try to route the outgoing network packets to other systems (including his own) and thus allowing for man in the middle or denial of service attacks: # sysctl -w net.ipv4.conf.all.accept_redirects = 0 and: # sysctl -w net.ipv4.conf.default.accept_redirects = 0












Code [lin013f]

It is common to protect systems against Denial of Service attacks using SYN packets (commonly known as "SYN flooding") by activating support of TCP syncookies. Note, however, that activating this violates some RFCs: # sysctl -w net.ipv4.tcp_syncookies = 1












Code [lin014f]

It is possible to send IP spoofed packets from this machine. Spoofed packets are commonly used by trojans that make use of compromised hosts to deliver denial of service, man in the middle or connection hijacking. You should consider configuring your kernel to not permit this: # sysctl -w net.ipv4.conf.all.rp_filter = 2 and: # sysctl -w net.ipv4.conf.default.rp_filter = 2












Code [lin015w]

IP forwarding is the option that permits the system to act as a router and thus resend packets from one network interface to another. If your system is not acting as such this option should be disabled: # sysctl -w net.ipv4.ip_forward = 0












Code [lin016f]

Source routing might permit an attacker to send packets through your host (if routing is enabled) to other hosts without following your network topology setup. It should be enabled only under very special circumstances or otherwise an attacker could try to bypass the traffic filtering that is done on the network: # sysctl -w net.ipv4.conf.all.accept_source_route = 0 and: # sysctl -w net.ipv4.conf.default.accept_source_route = 0












Code [lin017w]

Suspicious packets received by the kernel should be logged to detect incoming attacks. To activate this logging capability: # sysctl -w net.ipv4.conf.all.log_martians = 1 and: # sysctl -w net.ipv4.conf.default.log_martians = 1












Code [lin018w]

The "weak end host" description in the RFC1122 permits multihomed systems to receive packets for a network interface from another network interface. This, as a matter of fact, removes the benefit of configuring services and binding them to a single IP address (not to all IP addresses). For 2.2 kernels remove this option with: # echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden For 2.4 and later kernels you might need to patch the kernel or configure your firewalling rules properly (i.e. defining anti-spoofing rules).












Code [lin019f]

The system has no firewalling rules in place to limit access to network services and protocols. Considering configuring a set of local firewall rules adapted to your needs. There are multiple firewall generation software you can use to generate these (such as Bastille, Shorewall, Firestarter, or Knetfiler). Local firewall rules can be used to block undesired incoming and outgoing traffic and can be useful to prevent access to network services that are listening on all system interfaces, only want to be used from specific hosts (or interfaces) and lack capabilities to either restrict its use to specific local network IP addresses or hosts. If the system is multi-home a local firewall configuration will prevent spoofing attacks due to "weak end host" issues.