SekChek Classic: Run-Time Options for UNIX Systems

What is the purpose of the run-time options?

The run-time options control the scope of the Scan and your security analysis.

We decided to make certain steps optional because on a large system they can run for a long time and the output files can be very large.

If the information is not important to your audit objective, we recommend you consider excluding it from the Scan process.

The 6 optional steps, including the various prompts issued at the start of the Scan process, are detailed below.

Important  To avoid disappointment, ensure the person running the Scan is aware of your processing requirements.


1. SekChek File Header

Run-time prompt

Do you want to write a header containing host details to the extract file?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

Choose ‘Y’ to write the name of the host computer and the name of the user running the extract to a header in the extract file. This information is useful for confirming that the Scan was run on the intended host.

Note that the header can be read by anyone with access to the file.


2. Files with SUID (Switch User Id) and SGID (Switch Group Id) permissions

Run-time prompt

Do you want to analyse details of programs that SUID?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

This step will scan permissions on all programs that SUID when they execute. These programs assume the identity of the user owning the executable (often root), rather than the user executing the program.

It is important to maintain strong permissions on these programs because unauthorised changes or program substitutions could allow intruders to gain access to the root account and to all resources on your system.

This step could take 30 minutes or longer on large file systems.


3. Permissions on programs in the search path

Run-time prompt

Do you want to analyse permissions on programs in the System path?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

This step will scan permissions on all files residing in all directories in the system search path. This path is searched each time a program or command is executed to determine the location of the program.

Inappropriate permissions on these programs could lead to unauthorised changes or program substitutions, which could have serious security implications.

This step will generate a large amount of output if the directories in the system path contain a large number of files.


4. Files with world-writeable permissions

Run-time prompt

Do you want to analyse details of World-Writeable files?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

This step will scan all files and output those with world-writeable permissions on them. World-writeable permissions on a program or file allow all users with access to your system to change or delete the file.

Sensitive files or programs should not be world-writeable and should be assigned to an appropriate owner.

This step could take 30 minutes or longer on large file systems.


5. Trivial password analysis

Run-time prompt

Do you want to analyse encrypted password information from password and shadow password files?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

This step will scan encrypted password information in password and shadow password files in order to determine trivial, easy-to-guess passwords.

Note: SekChek is not capable of removing encrypted password information on Trusted Computer Based systems that store data in non-text format.


6. Network File System (NFS) mounts

Run-time prompt

Do you want to include NFS Mounts in the analysis of file and directory permissions?

Enter: ‘Y’ [default], ‘N’, or ‘I’ [for Information]

More information

This step will include NFS mounts in the extraction of file and directory permissions.

NFS mounts are links to directories residing on remote servers.

If you select No, SekChek will only analyse files and directories that reside on local disks.

Scanning the permissions of files and directories residing on NFS mounts may cause the Scan to run for a very long time.




More Information...

SekChek for..

Popular Downloads..

Popular Links..