Using Tracer

Copyright (c), 1995-6 by Management Analytics - All Rights Reserved

Tracer is probably the easiest-to-use program ever invented. Once it is installed (installation on one system is included with your purchase), you simply type:

 tracer 

whenever you want to run it. To repair problems found by Tracer, all you do is follow the instructions it provides.

Cut and Dried Scenarios

For example, Tracer might indicate as follows:

+++ NOTICE chargen services are not used.
    In /etc/services change:
 FROM: chargen		19/tcp		ttytst source
   TO: # chargen	19/tcp		ttytst source

 FROM: chargen		19/udp		ttytst source
   TO: # chargen	19/udp		ttytst source

To repair this problem, all you have to do is make the changes it identifies. Here's another example:

User 'root' should not be permitted remote ftp access.
Add the following line to /etc/ftpusers to repair this:
	root

To repair this problem, simply add the appropriate line to the named file. Here's one further example:

***** Danger - /var/tmp should ONLY be writable by its owner.
   Use 'chmod g-w /var/tmp' to repair this.

Again, all you have to do is follow the directions.

More Complex Indications

Some of the things that Tracer looks for don't have cut and dried solutions. For example, in analyzing audit trails, Tracer can be tuned to only indicate events of interest, but each organization has its own way of dealing with detected events. For example, an audit detection like this one:

Looking for 'LOGIN FAILURE'
The following entries (if any) indicate failed login attempts.
Numerous failed login attempts of attempted logins to normally unuses
accounts is a strong indicator of intentional attack.

Mar  3 10:49:50 all login: LOGIN FAILURE ON ttyp6 FROM unix, No
Mar  3 10:49:53 all login: LOGIN FAILURE ON ttyp6 FROM unix, No
Mar  3 10:50:03 all login: LOGIN FAILURE ON ttyp6 FROM unix, Our
Mar  3 10:50:07 all login: LOGIN FAILURE ON ttyp6 FROM unix, Our
Mar  3 10:50:17 all login: LOGIN FAILURE ON ttyp6 FROM unix, For
Mar  3 10:50:22 all login: LOGIN FAILURE ON ttyp6 FROM unix, For
Mar  3 10:50:32 all login: LOGIN FAILURE ON ttyp6 FROM unix, Have
Mar  3 10:50:35 all login: LOGIN FAILURE ON ttyp6 FROM unix, Have

would generate different responses in different organizations. For that reason, the instructions for thise section of the tests advises:

"In the following analysis, organizational policy dictates how to respond to the indicated items. Refer to your standards and procedures manuals for details on proper response, or contact your incident response team for detailed analysis of these indications."