* R e n e g a d e L e g i o n * RL C.O.P.S. File by Brian Oblivion Technical Report #7 May 1991 The Night Elite BBS (RL HeadQuarters) : (617) oOo-oOOo The Electric Eye ][ (RL Support Site) : (313) 776-8928 Mind Of 'a Lunatic (RL Support Site) : (714) 693-0957 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Well, due to the increasing popularity of this package of utilities, I feel that everyone should be aware of it, watch for it, and avoid it. Looking at the file one will say, by Jove! how easy it would be to modify this program to report to me all the flaws of a system. And so it should be done. At any rate, absorb the information. The package, which will be henceforth be referred to as COPS (Computer Oracle and Password System), can be broken down into three key parts. The first is the actual set of programs that attempt to automate security checks that are often performed manually (or perhaps with self written short shell scripts or programs) by a systems administrator. The second part is the documentation, which details how to set up, operate, and to interpret any results given by the programs. Finally, COPS is an evolving beast. It includes a list of possible extensions that might appear in future releases, as well as pointers to other works in UNIX security that could not be included at this time, due to space or other restrictions. This document contains six sections: 1) What is COPS? 2) What COPS is _not_ 3) How to Configure COPS 4) Running COPS for the 1st Time 5) Continued Use and Installing COPS 6) Disclaimer and End Notes 1) What is COPS? ----------------- COPS is a collection of about a dozen (actually, a few more, but a dozen is such a good sounding number) programs that each attempt to tackle a different problem area of UNIX security. Here is what it currently checks: o file, directory, and device permissions/modes. o poor passwords. o content, format, and security of password and group files. o the programs and files run in /etc/rc* and cron(tab) files. o finds SUID files, and checks for their writeability and if they are shell scripts. o runs a crc check against important binaries or key files, and reports any changes therein. o writability of users home directories and startup files (.profile, .cshrc, etc.) o anonymous ftp setup. o unrestricted tftp, decode alias in sendmail, SUID uudecode problems. o miscellaneous root checks -- current directory in the search path, a "+" in /etc/host.equiv, unrestricted NFS mounts, ensures root is in /etc/ftpusers, etc. o includes the Kuang expert system, that takes a set of rules and tries to determine if your system can be compromised (for a more complete list of all of the checks, look at the file "release.notes" or "cops.report"; for more on Kuang, look at at "kuang.man".) All of the programs merely warn the user of a potential problem -- COPS DOES NOT ATTEMPT TO CORRECT OR EXPLOIT ANY OF THE POTENTIAL PROBLEMS IT FINDS! COPS either mails or creates a file (user selectable) of any of the problems it finds while running on your system. And because COPS does not correct potential hazards it finds, it does _not_ have to be run by a privileged account (i.e. root or whomever.) The only security check that should be run by root to get maximum results is the SUID checker; although it can be run as an unprivileged user, to find all the SUID files in a system, it should be run as root (in addition, if key binaries are not world readable, only executable, the CRC checking program ("crc.chk") needs to be run as a privileged user to read the file in question to get the result.) In addition, COPS cannot used to probe a host remotely; all the tests and checks made require a shell that is on the site being tested. The programs are mostly written in Bourne shell (using awk, sed, grep, etc. as well) for (hopefully) maximum portability. A few are written in C for speed (most notably the Kuang expert system and for implementing fast user home directory searching), but the entire system should run on most BSD and System V machines with a minimum of tweaking. 2) What COPS is _not_ ---------------------- COPS merely provides a method of checking for common procedural errors. It is not meant to be used as a replacement for common sense or user/ operator/administrative alertness! Think of it as an aid, a first line of defense -- not as an impenetrable shield against security woes. An experienced wrong-doer could easily circumnavigate _any_ protection that COPS can give. However, COPS _can_ aid a system in protecting its users from (their own?) ignorance, carelessness, and the occasional malcontent user. Once again, COPS does not correct any errors found. There are several reasons for this; first and foremost, computer security is a slippery beast. What is a major breach in security at one site may be a standard policy of openness at another site. Additionally, in order to correct all problems it finds, it would have to be run as a privileged user; and I'm not going to go into the myriad problems of running SUID shell scripts (See the bibliography at the end of the technical report "cops.report" for pointer to a good paper on this subject by Matt Bishop.) At this time, COPS does not attempt to detect bugs or features (such as the infamous ftpd, fingerd, etc) that may cause security problems. Although this may change in future versions, the current line of reasoning to avoid general publication of programs such as these is that all the problems that COPS detects can be repaired on any system it runs on. However, many bugs can be readily repaired only be having source code (and possibly a good vendor to repair it), and many sites would have serious troubles if they suddenly discovered unrepairable problems that could compromise their livelihood. It is possible that a more controlled release may come out in the future to address such problems (but don't mail to me about getting them -- unless you want to help write them! :-)) 3) How to Configure COPS ------------------------- System V users, other Non-BSD systems, or sites with commands in strange places -- you may have to run a shell script called "reconfig" to change the pathnames of the executable programs called when using COPS. If your system does not use the paths listed in the shell scripts, try running "reconfig". This will reconfigure the pathnames used by COPS to your system; COPS should run fine then, if it can find all of the commands (reconfig should tell you if it cannot.) If trouble persists, you will have to change the paths to your executable files (awk, sed, etc) by hand. A drag, I know. This all may change without notice, anyway :-) With all the varieties of unix, there are a few types that may need extra help to run the system. I've got README files for Apollo and Xenix in the distribution -- see the files "README.apollo", and "README.xenix", respectively -- if you have any troubles, drop me a line, and I'll see what I can do about working out a patch with you. Some problems might arise with some SYSV machines (heck, to any machine :-)), due to weird files and names for stuff. What can I say? Portability is a problem. You can comment out line 39 and 38 in "misc.chk", if you use /etc/servers instead of /etc/inetd.conf. 4) Running COPS for the 1st Time --------------------------------- Since most of COPS was written and tested mostly on just a few machines (at least compared to the total number out there!), you may have significant differences that were not anticipated -- unfortunately, or fortunately, UNIX is not quite standardized yet. However, I haven't run into a UNIX yet that I haven't been able to get it running on, with just a small amount of change, so feel free to mail to me for help. COPS is run by simply typing "cops". "cops" is a Bourne shell script that runs each of the programs, accumulates the output, and then either mails or stores any results in a file. "suid.chk" (and possibly "crc.chk") is the only package that is meant to be run separately, simply because it can take a long time to run, and possibly because it needs a privileged account to run it; look at "suid.man" for more information. By all means, however, do not ignore the SUID checker! Run it at least once a week, if possible, more (daily?); intruders into a system often leave SUID files to gain privileges later. "crc.chk" should also be run; it can either be run as a standalone program (preferred), or as part of the COPS package; read the file "CRC.README", and the man page for more information. To run COPS for the first time, I suggest doing the following: -- Look at the disclaimer, file "disclaimer". Don't sue me. Actually, this holds for all the times you use COPS (1/4 :-)) -- Type "make" and "make docs" to create the formatted manual pages, to compile the C programs, and to make the shell programs executable. A couple of potential (hopefully minor problems) might occur, probably only for SysV based machines; one, if you don't have the "-ms" package for nroff (i.e. you, get an error message after typing "make" about it), just remove the "-ms" flag; e.g., change line 7 of the "docs/makefile" file, from: ROFFLAGS = -ms to ROFFLAGS = The second potential problem might be with the password checking program; if it fails to compile, try uncommenting out line 20 in "makefile" -- e.g., enable the "BRAINDEADFLAGS = -lcrypt" flag. If this doesn't work... well, you can either work it out, or e-mail me. -- Read the technical report to understand what COPS is doing and what is going on -- "cops.report". This gives a look at the philosophies, design notes, and finally a general outlay of the COPS system and UNIX security. This can be forsaken, for those who just want to get to the results/see some action (people like me.) -- Next, change lines 51 and 52 in the "cops" shell file; this is what they were: SECURE=/usr/foo/bar SECURE_USERS="[email protected]" SECURE should be the same directory as the directory that contains the cops programs, and SECURE_USERS should be your own login id, or to whomever you designate as the recipient of the output (your enemy?) -- Set "MMAIL=NO" in the "cops" shell file (line 25). This will prevent a large mail file from choking the mailer. All of the output will be put into a file called "year_month_day" (obviously, that's like: "1991_Dec_31", not actually the words, "year_month_day" :-)), and should be automatically placed by COPS in a directory that has the same name as the host it was run on (e.g., your own hostname.) -- Look at the directory and file configuration file, "is_able.lst" This contains critical files that COPS checks for group and world writability and readability. Add or delete whatever files/directories you wish; if a file doesn't exist, COPS will effectively ignore it. (If you don't know or are uncertain what files/directories are important, what is given there is a good set to start with on most systems.) -- If you allow anonymous ftp access to your system, add a "-a" flag to "ftp.chk" on line 104 of "cops". Right now, it is set up so that key files and directories are expected to be owned by root; however, it has provisions for two owners, $primary and $secondary -- some may wish to change the second to "ftp", or some other user. Read the man page for ftp.chk, or look at "ftp.chk" for further notes. -- You may wish to comment out the password checker (line 109 in the "cops" shell file). Although this is not necessary, it will speed up the package if you wish for immediate gratification. If you are using yellow pages/NIS, read "README.yp" for tips on how to check passwords there. -- Uncomment out the crc checker, "crc.chk" (line 123), if you desire to run it as part of the normal COPS run. You should be ready to roll. COPS is run by simply typing "cops" (you may wish to put in the background....) If you followed my advice and set "MAIL=NO" in the "cops" shell file, after COPS is finished, there will be a report file created ("year_month_day") that lists the time and machine it was created on. Otherwise, COPS mails the report to the user listed on the line 'SECURE_USERS="[email protected]"'. There is a file "warnings", which contains most of the warning messages COPS uses, as well as a brief explanation of how the message might pertain to your system and finally a suggestion as how to "fix" any problem. NOTE: Change the shell script "cops" to reflect who you want the output sent to and where the location of the program is BEFORE running the program. 5) Continued Use and Installing COPS ------------------------------------- Once you are satisfied that COPS indeed does something useful (hopefully this will occur :-)), a good way to use it is to run it on at least a semi-regular basis. Even if it doesn't find any problems immediately, the types of problems and holes it can detect are of the sort that can pop up at any given time. One way of running COPS might be to run it as an "at" job or by cron. I highly advise that whatever directory COPS is placed in is to be readable, writable, and executable only by the owner (typing "chmod 700 /usr/foo/bar" or whatever the name is will do this) of the directory. This is to prevent prying eyes from seeing any security problems your site may have. Even if you don't think of them as important, someone else might come around and change your mind. Since COPS is fairly configurable, an intruder could easily change the paths and files that COPS checks for, hence making it fairly worthless. Again, this comes back to the point that COPS is only a tool -- don't put down your defensive shields merely because COPS says "all clear". If this sounds paranoid, it is! Security people are traditionally paranoid, for a reason.... In any case, it is probably not a good idea to advertise any (even) potential weaknesses. Typing "make install" will create (if necessary) a subdirectory with the name you put in $INSTALL_DIR (found on line 7 of "makefile"); if you run a network with multiple architectures, you can have several executable versions of COPS in the same NFS mounted directory structure. You can run COPS with "cops archtype", and it will cd into the archtype directory, use the binaries in that directory (placed there by a "make install"), and put any results in a subdirectory of the archtype directory with the appropriate host name. For example, assume you have the following setup: machine architecture hostname If run COPS with: ===================== ======== ================== cray ribcage cops vax bar cops vax vax foo cops vax sun earth cops sun sun mars cops sun sun venus cops sun mips hades cops If $SECURE (the secure directory variable in the "cops" shell script) was set to "/usr/secure", the resulting directory/reporting structure would be: /usr/secure/cops/ribcage /usr/secure/cops/vax/bar /usr/secure/cops/vax/foo /usr/secure/cops/sun/earth /usr/secure/cops/sun/mars /usr/secure/cops/sun/venus /usr/secure/cops/hades Sometimes you will get the same report over and over again, everytime you run COPS; for instance, with Ultrix 3.x, /dev/kmem is world readable -- this is a security hole, but many utilities in Ultrix need this to function. If you wish to only see reports that are _different_ than the old reports, you first need to have an older report saved in a file (in $SECURE/hostname, or wherever you usually save the reports); you can then set "MMAIL=YES" _and_ "ONLY_DIFF=YES" (lines 25 & 30, respectively) in "cops"; everytime COPS is run after that, it will compare the report it generated for the current check with the old report; if it detects any differences, it will mail you a report. If not, it simply discards it. This can be a real boon for a site with a lot of machines running COPS every night... There are a couple of further options you may wish to explore. First of all, since so many breakins are because of poor passwords selection by users, it would be a wise idea to add options to your password checking program (line 109 in "cops"). You may wish to try some words from a dictionary; you may use either your system dictionary (usually found in /usr/dict/words), or you may use the same dictionary that the internet worm found so lucrative when hitting all those thousands of hosts; that dictionary is in the file "pass.words" (example; the way to include the worm dictionary is: "pass.chk -w pass.words"). Also, try some of the options in the password program, such as "-b", "-g", "-s", and "-c", which add checks for backward, gecos, single letter & number, and upper and lower case guesses, respectively. Just as a note, each option will increase the time needed to crack the passwords, of course; experiment! See what is reasonable for your hardware and resource capabilities. By using the "pass_diff.chk" program, you only check accounts that have _changed_ their password since the last time you've checked -- this can save enormous amounts of times with large systems; you can check your users thoroughly once, then only check them as they change their passwords again. Be careful, though, if you use this, and then later expand your checks and/or your dictionary used to search for passwords, the earlier accounts that were already checked with an inferior method will not be checked again until they change their password. See the file "passwords" in the "extensions" directory for a replacement "passwd" program, that can disallow poor passwords to begin with. The file "is_able.lst" contains a list of files that are to be checked for world readability and/or writability; look at the file; add or delete any files you feel are important to your system. After running COPS, if any warnings are given that compromise any individual users accounts (such as world writable .profiles, home directories, guessed passwords, etc.), and the warnings are not corrected immediately (or you are not sure whether or not it is worth hassling the user to change it), try this: Edit the file "init_kuang", and add the compromised user(s) uids and groups in their respective target lines (below lines 20 and 27, respectively), and run kuang again to see if the users can compromise the entire system. You may change your mind about not thinking they are a problem! In addition, kuang does not have to have "root" as a target (the last line). Try putting in system administrators or other powerful figures to see if they are in danger as well. If you have "perl" installed on your system, try the perl version of kuang -- "kuang.pl" (you'll have to unpack the shar file this is inside -- "kuang.pl.shar", and you may have to edit the first line of the file "kuang.pl", to reflect where the location that perl is on your system.) 6) Disclaimer and End Notes ---------------------------- COPS is meant to be a tool to aid in the tightening of security, not as a weapon to be used by an enemy to find security flaws in a system. It may be argued that allowing anyone to have access to such a tool may be dangerous. But hopefully the overall benefit for systems that use this package will outweigh any negative impact. To me it is akin to a law enforcement problem -- that although telling the public how to break into a house may foster a slight rise in break-in attempts, the overall rise in public awareness on how to defend themselves would actually result in a drop in break-ins. The crackers with black hats already know how to crush system defenses and have similar tools, I'm sure. It's time we fought back. COPS is not the final answer to anyone's security woes. You can use the system as long as you realize that COPS has no warranty, implied or otherwise, and that any problems that you may have with it are not my or any of the other authors' fault. I will certainly attempt to help you solve them, if I am able. If you have ideas for additional programs, or a better implementation of any of the programs here, I would be very interested in seeing them. COPS was the work of a LOT of people, both in writing code and in the testing phase (thanks beta testers!). For a complete list of contributors, look at the file "XTRA_CREDIT". So good luck, and I hope you find COPS useful as we plunge into UNIX of the 1990's. dan farmer January 31, 1989 (Now January 31, 1990) # include "./disclaimer" Just for snix, here are some of the machine/OS's I know this sucker works on; far and away the most common problem was getting that stupid password cracking program to compile, followed by systems without the -ms package to nroff. Some minor problems with config files -- I *think* these are all ok: DECstation 2100, 3100, 5000, Ultrix 2.x, 3.x, 4.x (It should, I'm sitting in front of one now. Ultrix is braindead) Sun 3's, 4's (incl. Solbourne) -- 3.x, 4.x Gould 9080 Powernode, hacked up Gould OS (whatever it is) sequent S-87 symmetry, dynix V3.0.12 (both att & bsd universes; att required "BRAINDEADFLAGS = -lcrypt" to be uncommented. eta-10P, Sys V R3 based Convex boxes, all types, most OS's (up to 9.x, the most recent) Apollo dn3000 & dsp90, Domain SR 9.7 Vax 11/780, 4.3 BSD (Mt. Xinu, tahoe and stock) Vaxstation, MicroVax, Vax 6320 & 8800, Ultrix 2.0, 3.x HP900/370, HP-UX 6.5 Cray 2 & Y-MP, UNICOS 5.0, 6.0 Amdahl 5880, UTS 580-1.2.3 SGI 2500's, IRIX GL 3.6 SGI 4D's, IRIX System V Release 3.X '286 & '386 Boxes, running Xenix (README.xenix) Apple Mac IIci, running AUX 2.x. The "test -z" seemed broken on this, but I only had a brief chance to test it out, but kuang didn't like it as a result. I'll get a working version soon; everything seemed ok (change the /etc/servers line in "misc.chk".) NeXT, 1.x (password stuff is different on this machine, tho; cracking is strange. Diffs?) Multimax 320, 12 Processors, 64Mb Memory, Encore Mach Version B1.0c (Beta) (no crypt(3) on this machine. Sigh.) IBM rs6000, AIX 3.1 (BRAINDEAD -- boo. hiss.) COPS will *NOT* work well on this piece of trash -- the shell utilities are garbage; however, you can still get *some* useful info. I'm not going to rewrite everything because big-blue won't write an awk that works: