Functions of Tracer: Functions of Tracer: Tracer performs 24 different kinds of tests of a Unix system to detect configuration errors, known vulnerabilities, corruptions, and other items of interest. This section of the manual describes these functions.
When you furst turn on your computer, chances are, there are a lot of services enabled that you'd rather not make available to attackers. It usually takes months to tune them all properly, but with our tool, you can get the same job done in a matter of a few minutes.
Do you let remote hosts have too many privileges in your machine? We help detect excessive privileges and tell you how to remedy the problem.
Remote host access is one of the most common attack techniques used to secure a reentry into your computer once a breakin occurs. We'll help you find and fix these holes and keep them out in the future.
NFS holes can let remote users view and alter your user and system files. By finding and fixing the holes quickly, you close the window of vulnerability.
Even your line printer daemons can be exploited in attacks, and we'll let you know if you're susceptable to attacks reported over the last few years.
Are your terminal connections insecure? We'll help you find out and tell you how to secure them.
Are your TCP wrappers too loose? We'll help you tighten them up.
Aliases can let unprivileged users act like privileged users, change the way your email gets delivered, and introduce holes for remote attackers. With our checks, you can close the aliases holes that attackers commonly use.
Sendmail has a lot of configuration gotchas. We find them and tell you how to remove them. Then we test your sendmail daemon for common remote attacks and tell you how to remove the vulnerabilities we find.
Does your password file allow remote NIS password lookups? Does it have multiple user IDs with root access? Do locked out users have wrong default shells? These and many more gotchas are detected and reported.
If the ftp SITE EXEC bug is active in your system, you'll want to know so you can disable it. We'll tell you.
Many sites permit anonymous FTP, but properly configuring your FTP server isn't easy. Our tests help you identify configuration errors and eliminate them.
Your system is most vulnerable when it reboots. We look at the startup files to find improper settings and known anomalies.
Can someone attack your terminal and use it to get access to your account? Can they login as root remote? We identify attackable terminal types and misconfigured terminal privileges.
Are your users setting permissions too promiscuously? We'll find out and let you know.
Files owned by root are particularly important to protect properly, and we help you do it.
Does a critical binary or library file have a reference to a user-owned or writeable file? We'll find them and let you know.
Extra init processes? Too many inet daemons? Wrong process IDs for critical system processes? Programs running by root or other users that aren't supposed to be? Old processes? Zombie processes? Terminal processes that shouldn't be there? We'll find them for you and report them.
Password guessing (as in Crack) is done based on the user IDs, GCOS information, short passwords, missing passwords, locked passwords, and a list of commonly used passwords. Lists can easily be extended or changed.
Special Unix configuration files are examined for content and location and known anomalies are detected and reported. Add your own files and anomalies for local conditions, or remove the ones we have that you don't care about.
Writable files and directories are found and identified and appropriate warnings are given as to the potential harm that could result from the abuse of these files and directories.
All setUID programs are found and checked. Files that are setUID to system accounts and stored in non-system areas are identified as are known bad setUID programs, and other anomalous setUID patterns are identified.
System files are examined for all identifying signs of change, ranging from changes in protection setting to changes in file content as indicated by an MD5 checksum. Missing files, new files, and changed files are indicated and the nature of the change is categorized. It catches all sorts of things, including attempts to change ethernets into permiscuous mode, sendmail attacks, and many others.
Audit reduction is performed by examining various audit trails and removing information known to reflect normal behavior. Remove the known good stuff and what remains is to be questioned. We then classify the questionable items into known attack patterns, likely attacks, items that are unusual but not necessarily reflective of attacks, and items that are not identified as safe.