Glenn Brunette's Security Weblog


Solaris Interesting File Discovery Tool

Friday Jun 23, 2006



Following up on my posting of the Solaris Package Companion yesterday, I would to post one more of my little utilities, called the Interesting File Discovery Tool (IFD). This tool is not taking on an overly grand challenge, but it does come in handy in a number of situations when you need to match up information being reported by the OS with information that is coming from the original distribution.

IFD is a simple utility that allows you to obtain a list of set-uid, set-gid, and world writable objects (including an option to just find world writable directories lacking the sticky bit). Certainly, there have been tools that have done this for ages. The Solaris Security Toolkit, for example, includes scripts (called print-suid-files.fin, print-sgid-files.fin, and print-world-writable-objects.fin) that pull this information directly from the filesystem.

IFD is different however. Rather than pull the information from the filesystem (which can be easily accomplished using just the find(1) command, the Interesting File Discovery tool collects information on these files from a number of different sources including: (1) the OS distribution, (2) the local system's /var/sadm/pkg directory and (3) the local system's /var/sadm/install/contents file. These are all interesting sources to collect this information since it can help an investigator.

For example, one could determine that there exists a program (shipped in the Solaris OS) that is set-uid on the filesystem and perhaps in the "contents" file, but it is not set-uid in the package repository or in the Solaris OS distribution. While this may not necessarily mean that there is a problem, it may point to an area requiring more investigation. This could be used in concert with tools such as the Solaris Fingerprint Database or even Solaris 10 BART to determine the authenticity of a given program and its permissions.

Before we give it a spin, let's take a look at how the tool is used and what options are available: 

$ ./ifd-v0.3.sh -h

   ./ifd-v0.3.sh - Interesting File Discovery Tool

   ifd -[ugnw] [-q] { -c | -l | [Solaris Product Directory] }

      -c     Collect information from /var/sadm/install/contents
      -g     Print information on files with the set-gid bit set
      -h     Display this message
      -l     Collect information from /var/sadm/pkg
      -n     Print information on WW directories without sticky bit set
      -q     Quite mode.  Do not print headers.
      -u     Print information on files with the set-uid bit set
      -w     Print information on world writable files and directories
      -?     Display this message

So, let's see how this little tool works... In the first example, the tool is used to uncover set-uid files from a Solaris OS distribution: 

$ ./ifd-v0.3.sh -u /export/install/images/s10u1/Solaris_10/Product

Set-UID Programs

4511   root       bin        usr/lib/lp/bin/netpr
4511   root       bin        usr/lib/print/lpd-port
4511   root       bin        usr/lib/pt_chmod
4511   root       lp         usr/bin/cancel
4511   root       lp         usr/bin/lp
4511   root       lp         usr/bin/lpset
4511   root       lp         usr/bin/lpstat
4511   root       lp         usr/sbin/lpmove
4511   root       uucp       usr/bin/ct
4511   uucp       bin        usr/bin/tip
[... other results removed for brevity ...]

Another way you can use this is to collect information from the local package repository. For this example, we will look for set-gid files: 

$ ./ifd-v0.3.sh -g -l

Set-GID Programs

2511   root       mail       usr/bin/mail
2511   root       mail       usr/bin/mailx
2555   root       mail       dt/bin/dtmail
2555   root       mail       dt/bin/dtmailpr
2555   root       smmsp      usr/lib/sendmail
2555   root       sys        usr/platform/i86pc/sbin/eeprom
2555   root       sys        usr/sbin/amd64/prtconf
2555   root       sys        usr/sbin/amd64/swap
2555   root       sys        usr/sbin/amd64/sysdef
2555   root       sys        usr/sbin/i86/prtconf
[... other results removed for brevity ...]

Finally, let's look for world writable files (and directories) using just the local /var/sadm/install/contents file: 

$ ./ifd-v0.3.sh -w -l

World Writable Files

0622   bin        bin        usr/oasys/tmp/TERRLOG
0666   root       bin        var/adm/spellhist
0666   root       root       var/dt/dtpower/_current_scheme
1777   root       bin        var/preserve
1777   root       bin        var/spool/pkg
1777   root       bin        var/spool/samba
1777   root       mail       var/mail
1777   root       root       var/dt/dtpower/schemes
1777   root       sys        tmp
1777   root       sys        var/krb5/rcache
[... other results removed for brevity ...]

So, there you have it. Nothing earth shattering, but a useful little tool nonetheless. Please let me know if you use it, like it, hate it, have ideas to improve it, etc. I always love to get feedback.

Take care,

Glenn

Technorati Tag:


Share and Enjoy! reddit stumbleupon
Posted at 02:11PM Jun 23, 2006 by gbrunett in Solaris 10 Security Tags:
Comments:

Post a Comment:
Comments are closed for this entry.