Glenn Brunette's Security Weblog


Interesting File Discovery Tool version 0.4

Monday Jul 23, 2007

Way back when, I did a post that introduced the Solaris Interesting File Discovery Tool. Being a fan of automation, I had written the tool mainly for myself, but I was pleasantly surprised to hear that people were happily using it. This leads me to today's posting.

A month or so ago, Fredrich Maney dropped me an e-mail letting me know of his experience running the tool and what tweaks he had made to improve it for his environment. In particular, he wanted to run this tool on Solaris 9. Recognizing that I had screwed up by not making the tool more broadly useable, I decided that an appropriate penance would be for me to not only fix this bug but to also build in a few new enhancements. Today, I am happy to announce the arrival of the Solaris Interesting File Discovery tool version 0.4.

New to this version is:

  • Support for Solaris 9 (and likely 8) in addition to Solaris 10;
  • Support for Solaris ELF signature verification (Solaris 10 only);
  • Support for file fingerprint (MD5) generation (Solaris 10 only);

Yes, I do realize the irony of allowing the tool to run on older versions of the operating system while at the same time adding new features for only Solaris 10 and newer. Unfortunately, the older versions of the operating system simply do not support ELF signatures or the digest(1) command. Hey, these are just a few of the many good reasons why you should consider adopting Solaris 10 today!

Moving on... Let's take it on a brief spin to see what things look like. First, let's check out the options available: 

# ./ifd-v0.4.sh -h

   ./ifd-v0.4.sh - Interesting File Discovery Tool

   ifd -[ugnw] [-ds] [-q] { -c | -l | [Solaris Product Directory] }

      -c     Collect information from /var/sadm/install/contents
      -d     Calculate MD5 digest for each file (Solaris 10 only)
      -g     Print information on files with the set-gid bit set
      -h     Display this message
      -l     Collect information from /var/sadm/pkg
      -n     Print information on WW directories without sticky bit set
      -q     Quite mode.  Do not print headers.
      -s     Validate ELF file signature for each file (Solaris 10 only)
      -u     Print information on files with the set-uid bit set
      -w     Print information on world writable files and directories
      -?     Display this message

So, let's fire it up with the works. In this example, we will use the /var/sadm/install/contents file as our source and look for files that are set-uid, set-gid, or world writable (including a special check for world writable directories that do not have their sticky bit set). Keep in mind that you can also point the tool at the /var/sadm/pkg directory as well as a DVD/CD distribution depending on your needs. This allows you to use the tool for a different OS (if you can point it at a mounted DVD for example) or your local system (without a need for a separate OS distribution at all).

For each matching file, we will record:

  • package that installed the file
  • file permissions
  • file owner
  • file group
  • status of ELF signature verification
  • MD5 fingerprint (suitable for using with the Solaris Fingerprint Database)
  • file name

So, without further ado... 

# ./ifd-v0.4.sh -c -d -s -u -g -w -n

Set-UID Programs

SUNWaccu        4755   root       adm        PASS   0c003207377f5bd2a9b5be5394205384  /usr/lib/acct/accton
SUNWbip         4555   root       bin        PASS   ff140f86524789942e3fc66867f5be40  /usr/sbin/ping
SUNWbnuu        4511   root       uucp       PASS   6cf336d0ccf51c2b66a241fc615dc2da  /usr/bin/ct
SUNWbnuu        4511   uucp       uucp       PASS   03c7fab44124264943e892ff0f9f318e  /usr/bin/uustat
SUNWbnuu        4511   uucp       uucp       PASS   1491a5a26b6936d3eed53eab01890bcc  /usr/bin/uuglist
SUNWbnuu        4511   uucp       uucp       PASS   453cdc99764045086d813708e268914c  /usr/lib/uucp/uusched
SUNWbnuu        4511   uucp       uucp       PASS   4ad108e11de2ce16cb5a804ee9618589  /usr/lib/uucp/uuxqt
SUNWbnuu        4511   uucp       uucp       PASS   4ca26f335387f825b786fe650001e2a1  /usr/lib/uucp/remote.unknown
SUNWbnuu        4511   uucp       uucp       PASS   65cca9d2de0955d87dc52220da544c14  /usr/bin/uuname
SUNWbnuu        4511   uucp       uucp       PASS   7059dea52454585b825d2fe731bd9ccf  /usr/bin/uucp
SUNWbnuu        4511   uucp       uucp       PASS   784a41f571364cf7dd15d91798494528  /usr/lib/uucp/uucico
SUNWbnuu        4511   uucp       uucp       PASS   bdb1aa92b2169d8774f1ad8aea589aa7  /usr/bin/uux
SUNWbnuu        4511   uucp       uucp       PASS   d6bb0cfc77f20d31c64d3af07044b8f6  /usr/bin/cu
SUNWcacaort     4511   root       sys        PASS   5bce4227db29f95813a6c7c13cc7d46d  /usr/lib/cacao/lib/tools/cacaocsc
SUNWcdrw        4755   root       bin        PASS   7ab3bed64d212595784a85f65b062d51  /usr/bin/cdrw
SUNWcsu         4511   uucp       bin        PASS   d9ac90c128f8f2750b3a49ae0c340ab4  /usr/bin/tip
SUNWcsu         4555   root       bin        PASS   226f94dd9845c934a98fc7f2aaa19523  /usr/bin/fdformat
SUNWcsu         4555   root       bin        PASS   24cf3f5258e5df4acccfed98a8822af3  /usr/lib/fs/ufs/ufsdump
SUNWcsu         4555   root       bin        PASS   316e3db185c014eae1d7881293a72c41  /usr/lib/utmp_update
SUNWcsu         4555   root       bin        PASS   3bfd7b1fc9811058b24bcbd42f826dc2  /usr/bin/amd64/uptime
SUNWcsu         4555   root       bin        PASS   61c7000154baedd954a9e9dd461e390e  /usr/lib/fs/ufs/quota
SUNWcsu         4555   root       bin        PASS   6269d65e9c176610ca42d498970eeff8  /usr/bin/login
SUNWcsu         4555   root       bin        PASS   6493ff50d04d5cdb4264407f0f2e8c78  /usr/sbin/i86/whodo
SUNWcsu         4555   root       bin        PASS   78fe5243a4dc6a5f4dca4e3e23c6a673  /usr/bin/i86/uptime
SUNWcsu         4555   root       bin        PASS   7b5f21df1819f2b69237579b8a1a0fe6  /usr/sbin/allocate
SUNWcsu         4555   root       bin        PASS   8c97df084b4e5f98e282857926fd86cb  /usr/bin/pfexec
SUNWcsu         4555   root       bin        PASS   bf1cb47e81689184214c6a83f63cdfb1  /usr/bin/crontab
SUNWcsu         4555   root       bin        PASS   c96b766b4ccbac6431b1e815bb65bdde  /usr/lib/fs/ufs/ufsrestore
SUNWcsu         4555   root       bin        PASS   ca0d8f737092afaed8fb083668d80be1  /usr/sbin/traceroute
SUNWcsu         4555   root       bin        PASS   f535cdc0d54439c14d8c92e915df83ea  /usr/sbin/amd64/whodo
SUNWcsu         4555   root       sys        PASS   14bb586161ad6de0d6e8b891a797f385  /usr/bin/su
SUNWcsu         4555   root       sys        PASS   e213aa06105763694156369709f7c0dd  /usr/bin/amd64/newtask
SUNWcsu         4555   root       sys        PASS   f88d0e395c4e5a8403e2273af8d73ea6  /usr/bin/i86/newtask
SUNWcsu         4755   root       sys        PASS   526d58c2ecc92e8678700a8514f697c5  /usr/bin/at
SUNWcsu         4755   root       sys        PASS   8c028119f2a38570f3bac37b4a0f83db  /usr/bin/atq
SUNWcsu         4755   root       sys        PASS   b3013b0aacd83a60208b015d47568040  /usr/sbin/sacadm
SUNWcsu         4755   root       sys        PASS   c84a3ab1da0e4db2fdfb45ea20bdb51e  /usr/bin/newgrp
SUNWcsu         4755   root       sys        PASS   eaaf142b658cafa113a8ec0c41e0ecdb  /usr/bin/atrm
SUNWcsu         6555   root       sys        PASS   5c2f4716b3713a6b3258dc3ef9b3b5c7  /usr/bin/passwd
SUNWdtbas       6555   root       sys        PASS   b7203985ff6f6d5d2d356597a4864d11  /usr/dt/bin/dtaction
SUNWdtdmn       6555   root       daemon     PASS   fc82558b87e32747c81f398a9656e90d  /usr/dt/bin/sdtcm_convert
SUNWdtdst       4555   root       bin        PASS   62343f01fb78de1f18cea2e3dc10bb0c  /usr/dt/bin/dtprintinfo
SUNWdtdst       4555   root       bin        PASS   624a41d131fb86054da0f860c898e97e  /usr/dt/bin/dtfile
SUNWdtdte       4555   root       bin        PASS   86794ad490355171a79d6941f0babde3  /usr/dt/bin/dtappgather
SUNWdtwm        4555   root       bin        PASS   3dd7de38e474409e4e677bacc10130b9  /usr/dt/bin/dtsession
SUNWgnome-sys-suspend 4711   root       bin        UNSIGN 290ca164439161635c0d23d525bcead8  /usr/lib/gnome-suspend
SUNWmcos        4555   root       sys        PASS   381166949a022ebf659ef0cab6e275ff  /usr/lib/webconsole/adminverifier
SUNWmcos        4555   root       sys        PASS   fe73cd9209baf01586c2bc44b003434e  /usr/lib/webconsole/pamverifier
SUNWnisu        4555   root       sys        PASS   f6f934c50750f22791b1a4a23db437cd  /usr/bin/chkey
SUNWpcu         4511   root       lp         PASS   6b71b3fb8bd8edeb77e90bcb40896842  /usr/bin/lpset
SUNWpmowu       4555   root       bin        PASS   ecabbf94c13052cfe793985f388a3357  /usr/openwin/bin/sys-suspend
SUNWpmu         4555   root       bin        PASS   5f13d302a6ae4d5e0d3d03e28fa8f845  /usr/sbin/pmconfig
SUNWpppdu       4555   root       bin        PASS   f762762ffe2349a59156b2621d540db6  /usr/bin/pppd
SUNWpprou       4555   root       bin        PASS   227be03e256c6dcc8c07c45275837195  /usr/sbin/smpatch
SUNWpsm-lpd     4511   root       bin        PASS   69b0a7e7ef6952a3bf0b9094a718b85b  /usr/lib/print/lpd-port
SUNWpsu         4511   root       bin        PASS   e80d4264a38f803dc6ca696d22c0e97e  /usr/lib/lp/bin/netpr
SUNWrcmdc       4555   root       bin        PASS   49fab30241d57a8ab085804312238a94  /usr/bin/rcp
SUNWrcmdc       4555   root       bin        PASS   54391ee93e29e392d094260b3d4b3d68  /usr/bin/rsh
SUNWrcmdc       4555   root       bin        PASS   569ac7fbd0df6eea1430a601b7ecca39  /usr/bin/rlogin
SUNWrcmdc       4555   root       bin        PASS   5f206a9c57570976301642b8a929d94d  /usr/bin/rdist
SUNWrmvolmgr    4555   root       bin        PASS   e8f97baf47fe6400567e0518c259e157  /usr/bin/rmformat
SUNWsndmu       4555   root       bin        PASS   6df3ae57fb3cc0f83bea9f806ebcb84f  /usr/bin/mailq
SUNWsshcu       4555   root       bin        PASS   6a5efb5008794fa74074de7f06e1456a  /usr/lib/ssh/ssh-keysign
SUNWwlanr       4755   root       bin        PASS   b907467dcbc24e79f191fc31f90fae6d  /sbin/wificonfig
SUNWxcu4        4555   root       bin        PASS   97cc4f6659c3f8b85910d28c07c0fa9c  /usr/xpg4/bin/crontab
SUNWxcu4        4755   root       sys        PASS   f4ae837685c632d8df16891caa718053  /usr/xpg4/bin/at
SUNWxcu6        4555   root       bin        PASS   418a5488f784886fb545afc70530e59f  /usr/xpg6/bin/crontab
SUNWxorg-server 4555   root       bin        PASS   5641dd1147ea1a088dba31235d898aa3  /usr/X11/bin/i386/Xorg
SUNWxorg-server 4555   root       bin        PASS   83ece035a60d7f98ed2ab1b15dbd3c76  /usr/X11/bin/amd64/Xorg
SUNWxsun-server 4755   root       bin        PASS   1938f2c3b4548ad0113ce52ef2d3d328  /usr/openwin/bin/Xsun
SUNWxwplt       4755   root       bin        PASS   515b26b22fa5d787808a993512202600  /usr/openwin/bin/xlock
SUNWxwsvr       4555   root       bin        PASS   f2187476d6491e7b439b997259a10062  /usr/X11/bin/xscreensaver


Set-GID Programs

SUNWcsu         2511   root       mail       PASS   0a732e9746d3033f82bd1a19c7521dfb  /usr/bin/mailx
SUNWcsu         2511   root       mail       PASS   38aa1ab24793bcbd9dbff6b22447bf2a  /usr/bin/mail
SUNWcsu         2555   root       bin        PASS   b36e0818f80a0c2e2f0710d23e184d5d  /usr/sbin/eeprom
SUNWcsu         2555   root       sys        PASS   128eeaab017cbb492f0f0bbfcfdc8ff1  /usr/sbin/amd64/prtconf
SUNWcsu         2555   root       sys        PASS   1e60d93817985dedb7720e1e5ab6892c  /usr/sbin/i86/prtconf
SUNWcsu         2555   root       sys        PASS   3099609858ed2234ffaaa597ec5d3bba  /usr/sbin/amd64/sysdef
SUNWcsu         2555   root       sys        PASS   51f912b98d75019889c8921f5b42e826  /usr/sbin/amd64/swap
SUNWcsu         2555   root       sys        PASS   749a05fa3cbe0f27a220678a9defe895  /usr/sbin/i86/sysdef
SUNWcsu         2555   root       sys        PASS   c3ec5940f697917257fca3a16ec1a07a  /usr/sbin/i86/swap
SUNWcsu         2555   root       tty        PASS   091ee44402b7870a55e8f3d47adb7ce2  /usr/sbin/wall
SUNWcsu         2555   root       tty        PASS   26116f7ed5064c4e29720b629d824bb9  /usr/bin/write
SUNWcsu         2755   root       sys        PASS   7b44b3ead9ecda4c465a826c2ab56ed9  /usr/sbin/prtdiag
SUNWcsu         6555   root       sys        PASS   5c2f4716b3713a6b3258dc3ef9b3b5c7  /usr/bin/passwd
SUNWdtbas       6555   root       sys        PASS   b7203985ff6f6d5d2d356597a4864d11  /usr/dt/bin/dtaction
SUNWdtdmn       6555   root       daemon     PASS   fc82558b87e32747c81f398a9656e90d  /usr/dt/bin/sdtcm_convert
SUNWdtdst       2555   root       mail       PASS   36dd0001f2ed41be07b027d1c02d115d  /usr/dt/bin/dtmailpr
SUNWdtdst       2555   root       mail       PASS   fdae40512f82352ba3e74f1b463f97b1  /usr/dt/bin/dtmail
SUNWgnome-games 2555   root       bin        PASS   103f02a4a24446506c7f8ace5026cbe3  /usr/bin/gnobots2
SUNWgnome-games 2555   root       bin        PASS   3db3e19d6299bfa875501179d99846ec  /usr/bin/mahjongg
SUNWgnome-games 2555   root       bin        PASS   411180c45b893cac7c0dc673849c5097  /usr/bin/gnotravex
SUNWgnome-games 2555   root       bin        PASS   60acedf6d46a25884726273d56b7bc0f  /usr/bin/glines
SUNWgnome-games 2555   root       bin        PASS   6f80e05e7b954b46516ca69cd7fc1377  /usr/bin/gnibbles
SUNWgnome-games 2555   root       bin        PASS   7db26899831c27556158d650fc8bbde8  /usr/bin/gtali
SUNWgnome-games 2555   root       bin        PASS   a9694142b04f9cd030b87a2f5392d4af  /usr/bin/gnotski
SUNWgnome-games 2555   root       bin        PASS   b31d94aadd219580d7fc0e8480c35279  /usr/bin/same-gnome
SUNWgnome-games 2555   root       bin        PASS   ca97825cae9ab8fa3a6ee5aff97768e3  /usr/bin/gnomine
SUNWsndmu       2555   root       smmsp      PASS   6350af850a401cb3c609d9e0067958ac  /usr/lib/sendmail
SUNWxprint-server 2755   root       root       PASS   36d71e7b95bf992c9101a0c9f44779fd  /usr/openwin/bin/Xprt
SUNWxwplt       2755   root       root       PASS   59a296e934338ef9fa2d33347d8ed750  /usr/openwin/bin/lbxproxy


World Writable Files

SUNWbnur        1777   uucp       uucp       NOTELF [Target_Is_Directory]             /var/spool/uucppublic
SUNWcsr         0666   root       bin        NOTELF d41d8cd98f00b204e9800998ecf8427e  /var/adm/spellhist
SUNWcsr         1777   root       bin        NOTELF [Target_Is_Directory]             /var/preserve
SUNWcsr         1777   root       mail       NOTELF [Target_Is_Directory]             /var/mail
SUNWcsr         1777   root       sys        NOTELF [Target_Is_Directory]             /var/tmp
SUNWdtscm       0666   root       root       NOTELF eb6d8ae6f20283755b339c0dc273988b  /var/dt/dtpower/_current_scheme
SUNWdtscm       1777   root       root       NOTELF [Target_Is_Directory]             /var/dt/dtpower/schemes
SUNWiqr         1777   root       sys        NOTELF [Target_Is_Directory]             /var/imq/instances
SUNWkrbr        1777   root       sys        NOTELF [Target_Is_Directory]             /var/krb5/rcache
SUNWmconr       0777   root       sys        NOTELF [Target_Is_Directory]             /var/webconsole/tmp
SUNWpkgcmdsr    1777   root       bin        NOTELF [Target_Is_Directory]             /var/spool/pkg
SUNWscpr        1777   root       sys        NOTELF [Target_Is_Directory]             /tmp
SUNWsmbar       1777   root       bin        NOTELF [Target_Is_Directory]             /var/spool/samba


Non-Sticky World Writable Directories

SUNWmconr       0777   root       sys        NOTELF [Target_Is_Directory]             /var/webconsole/tmp

So whether you are interesting in finding set-uid or set-gid programs, verifying their integrity (directly via elfsign(1) or using the Solaris Fingerprint Database) or perhaps something else entirely, the Solaris Interesting File Discovery tool could be another useful weapon in your security auditing/forensics arsenal.

For those interested, this output is from a Nevada build 68 system running in Parallels Desktop for Mac OS X otherwise known as my desktop!

At any rate, check out the tool and drop me a note with your feedback! I would love to hear from you!

Take care,

Glenn

Technorati Tag:

[4] Comments

Share and Enjoy! reddit stumbleupon
Posted at 04:51PM Jul 23, 2007 by gbrunett in Solaris 10 Security Tags:
Comments:

Minor grammatical nit in the -q description '-q Quite mode. Do not print headers.' I believe this should be quiet, not quite. :-) Can't wait to test this handy script out.

Posted by Perley on July 24, 2007 at 02:32 PM EDT #

Perley,

Thank you for letting me know. I have corrected my master copy and will incorporate the fix into the next update.

Thanks again!

Glenn

Posted by Glenn Brunette on July 24, 2007 at 02:51 PM EDT #

I've emailled you an 8-line patch to extend this to allow the user to specify a different MD5 checksum command (defaulting to /usr/bin/digest -a md5) so that on previous versions of Solaris, we can use /usr/local/bin/md5sum (or /opt/sfw/bin/gmd5sum or ...) --Joe

Posted by Joe Moore on July 24, 2007 at 04:25 PM EDT #

Joe,

Way cool. Thank you for the patch. I have integrated the changes into my current version. I will hold off on updating since I have received two comments in two days which led to changes in the code. I do not want to rev the code too quickly! ;-) I will give it a few days and if things slow down, I will do a new post with the updated code (version 0.5).

Thank you very much for your interest and contribution!

Take care,

Glenn

Posted by Glenn Brunette on July 24, 2007 at 09:52 PM EDT #

Post a Comment:
Comments are closed for this entry.