This is the readme for modules.



It contains a list of the modules in the lsat
package and what they check for.

It also has a premier at the end for creating
modules.

----------------------------------------------------------------------------
Modules in the LSAT package:

checkbp:
- Checks for boot loader password.
- Currently only for grub and lilo.

checkcfg:
- This module is performed last
- RedHat specific. Just prints out /sbin/chkconfig --list so that
  the user can perform a visual inspection.

checkdotfiles:
- Looks for .forward, .exrc, .rhosts and .netrc files on the system.
- Does not span "other" filesystems. 

checkfiles:
- checks that /tmp and /var/tmp have sitcky bit set
- checks utmp, wtmp, motd, mtab for chmod 644.
- checks /usr, /var dirs/files for root ownership.

checkftpusers:
- checks that all accounts in /etc/passwd are in /etc/ftpusers.

checkhostsfiles:
- Reads /etc/hosts.allow and /etc/hosts.deny files
- Checkes deny for ALL:ALL statement.
- Checks allow for any ALL statements.

checkinetd:
- Checks either /etc/inetd.conf or /etc/xinetd.d/* 
- If inetd.conf, it checks for entries not hashed out.
	(All entries should be commented out :)
- If xinetd.d it checks all files in that dir for disable = yes.

checkinittab:
- Checks to see if default runlevel is 5. If it is, give the user a warning.

checkipv4:
- Checks to see that common forwarding and ignoring are off/on in ipv4.

checkissue:
- checks to make sure that /etc/motd, /etc/issue and /etc/issue.net
  do not exist, or if they do, warn the user.

checkkbd:
- checks that ctrlaltdel function is disabled under linux.
- checks for KEYBOARD_DISABLE to be enabled under Solaris.

checklimits:
- performs simple check of limits.conf file

checklogging:
- performs a simple check to see if auth and authpriv logging facilities are on.
  This is really for older linux versions/distros as I know that RedHat and
  others now have this on by default. 

checkmd5:
- performs md5sum on all regular files on the system and saves in lsatmd5.out
- Only runs when -m switch is used
- if run more than once, old output is copied to lsatmd5.old

checkmodule:
- checks to see if loadable kernel modules are enabled 

checknet:
- checks what ports the system is listening to.
- (may not check _all_ ports. I have to RTFM on this one)

checknetforward:
- checks that ipv4 forwarding is disabled under linux
- checks that ipforwarding & source routing are disabled under Solaris
- checks that norouter & defaultrouter exist under Solaris

checknetp:
- checks to see if any interface is in promiscuous mode

checkopenfiles:
- checks all open files on the system using lsof (if installed)

checkpasswd:
- checks /etc/passwd for unneeded accounts.
- checks that only root is SUID=0.

checkpasstime:
- checks /etc/password for user accounts
- prints out list of password expiration information on those accounts

checkpkgs:
- Checks list of packages (rpms, debs) installed on the system.
- Checks against a list of "should not have" rpms.
- (this list quite possibly needs to be expanded)

checkpkgsupdate:
- checks system for available updates and prints out the list of updates
- does not work on Solaris on Mac OSX
- will also print out error (such as gentoo blocks, etc)

checkrc:
- checks /etc/rcn.d or /etc/rc.d/init.d and reports unneeded scripts.

checkrpm: (redhat specific)
- check to see if we are on redhat, and if we are...
- use the built in rpm -Va to verify rpms on the system.

checksecuretty:
- check to see if ttys other than tty[1-6] are in /etc/securetty

checkset:
- Checks system for all setuid/setgid files.
- Also checks for block or char files in /dev/ that do not belong.

checkssh:
- check some security features of ssh for instance:
  root logins, X11 forwarding and the like.

checkumask:
- checks that the default umask on the system is sensible.

checkwrite:
- Checks system for world writable files.

checkwww:
- check to see if ExecCGIs are enabled.
- check to see who is running httpd/apache.

checkx:
- checks for sommon security settings in the X window setup.

checklistening:
- checks for applications listening. This is an "extra" test
  used in conjunction with ifconfig / ip testing.

-------------------------------------------------------------------------
Writing modules:

All modules are (thus far) written in C. (hopefully ANSI C)
Looking back on this, perhaps it should have been in Python...
or perl or ADA or LISP or [insert your favorite prog language here]...

All modules (execpt dostuff.c) are called from lsatmain.c
A small description of the module is in lsatheader.h

Parameters:
A module (read function) can be passed (as of now) up
to four parameters. They are:

char release[]: basically the first field of "uname -a" output
char kernel[]: basically the third field of "uname -a" output
const char *const out_file: the file that lsat will output checks to
int verbose: integer flag to indicate we should be verbose

A module (in my mind :) should be an independant entity. 
If I were to take a module and stick it in a "main" c function
and pass it whatever parameters listed above it needs it should
function. Properly.

In doing the above I am setting this up to where modules can 
be added or deleted without problems. Having a module depend
on the output of another is not my goal or desire. It may 
run a little slower for some things like this, but one
can customize it whenever and however they see fit with
relative ease.

Modules should return zero or greater on success and a negative
number on failure. Modules should themselves output error msgs,
not lsatmain.c. (although lsatmain.c will say "Module x failed,
you should have seen errors.", upon receiving a negative number
from a returning module)

Modules should have a small description at the top and _should_
be able to cope with being on different systems (Linux vs
Solaris for instance). Yes I still need to work on mine. :O

The dostuff module is a module (written by nordi (nordi at addcom dot de))
that is used to run shellcode, write to tempfiles, and append headers
and/or the tempfile to the output file. The description at the top
of dostuff is given below... written by Nordi, I quote:

"This is a function that does all the filehandling stuff for the lsat modules 
so that you don't have to reinvent the wheel every time you want to do something. 
Afterall we have to get rid of, eradicate and stamp out all kinds of redundancies.

As arguments it takes four pointers to strings: tempfile, outfile, shellcode and
header. Header can be NULL, then it simply will not be printed. One of the other
pointers can be NULL as well. In this case refer to the following list:

no NULL pointer            default behaviour
  create tempfile
  run shellcode
  append header to outfile
  append tempfile to outfile
  delete tempfile

outfile == NULL            if you want to do keep working with tempfile
  create tempfile
  run shellcode

tempfile == NULL           if you already have a tempfile and want to keep it
  run shellcode

shellcode == NULL          if you already got a tempfile but now you're finished
  append header to outfile
  append tempfile to outfile
  delete tempfile

Special Case:              just print the header to the outfile
tempfile==shellcode==NULL
  append header to outfile

Will return 0 on success and negative value on failure." - End Nordi quote.


This has (thus far) made it a lot easier to write modules. In general,
using dostuff.c one can concentrate more on exactly what they want
a module to do and not have to worry about opening files and writing
temp files etal every time one writes a module.

A basic template for a module (IMHO) would be:

int module(release, kernel, distribution, filename, verbose)
{
	/* above parameters are optional, depending on module */

	/* some internal variable defs here */

	
	/* these should be in all modules */
	const char * tempfile =NULL;
        const char * shellcode=NULL;
        const char * header   =NULL;

	if (verbose > 0)
	{
		printf("Starting module: module\n");
	}
	
	/* do something you want to... */
	/* we ALWAYS call the tempfiles lsatn.lsat, 	*/
	/* where n is an integer... this is for cleanup */
	/* purposes...					*/

 	if (verbose > 0)
	{
		printf(" Generating list of badstuffs\n");
	}
        tempfile = "/tmp/lsat1.lsat";
	shellcode = "find / -name badstuff 2>/dev/null >/tmp/lsat1.lsat";
        header = "I am finding the bad stuff man\n";
	if ((dostuff(tempfile, filename, shellcode, header)) < 0)
	{
		/* "but Den, with the Loc-nar we could have returned to earth..." */
		perror(" Could not generate list");
		return(-1);
	}

	if (verbose > 0)
	{
		printf("Finished in module: module...\n");
	}
	
	return(0);
}

Some things worth noting are this:
- We always call tempfiles lsatn.lsat where n is an integer.
- We always use verbose > 0, and the first and last verbose
statements have no space before the output. The inner
verbose statements have a space. This makes verbose output pertty.
- We always check the return value of dostuff, and perror if problems.
- We always return 0 on success and something less than 0 on
failure.

There are times when one needs to create a temp file for storage 
due to the fact tha the module may be looping through some data 
that the shellcode has generated. This can be done and is ok, but
use the following example as a guide to (safely) create a temp file:

int fileval;
if ((fileval = open("/tmp/lsat4.lsat", O_RDWR | O_CREAT, 0600)) < 0)
{
    perror("Could not make file w/perms 0600...\n");
    perror("Possible link attack while creating/opening file!\n");
    exit(-1);
}

One thing to point out is to be careful of open files when
doing this two temp file procedure. If one calls dostuff and
the file was already open, it will puke, hurl and pass out.

I will put some more info in here when I get some time :)

../number9